Sugarcrm

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate SugarCRM integration, but it gives an agent broad ability to change or delete CRM records without clear confirmation safeguards.

Install only if you are comfortable giving Membrane-mediated access to SugarCRM. Use a limited SugarCRM account where possible, review the permissions granted, and require manual confirmation before any delete, update, unlink, or bulk CRM operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation advertises a delete-record action without any warning, confirmation guidance, or discussion of rollback/soft-delete semantics. In an agent setting, this increases the risk that a model may perform destructive operations on CRM data without sufficient user confirmation or safety checks, leading to unintended data loss or business disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal