Sms Magic

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate SMS Magic integration, but it lets an agent use broad authenticated SMS/account actions without clear approval guardrails for sends or data changes.

Install only if you are comfortable connecting Membrane to SMS Magic and letting an agent act through that account. Require the agent to show the exact action or endpoint, HTTP method, recipients, and payload before any send, delete, opt-out, campaign, list, template, contact, or raw proxy request, and revoke the Membrane connection when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents raw proxy requests supporting mutating HTTP methods like POST, PUT, PATCH, and DELETE without requiring confirmation or warning about side effects. In an agent setting, this increases the chance of unintended data modification, message sending, opt-out changes, or other destructive actions against a live SMS platform when the model falls back to direct API calls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal