Tito

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Tito integration, but it gives an agent broad authenticated power to change or delete live Tito event data through raw API calls.

Install only if you trust Membrane and the agent with the relevant Tito account. Prefer discovered Membrane actions over raw proxy requests, review every POST, PUT, PATCH, or DELETE request before it runs, and revoke the Tito/Membrane connection when the task is complete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents a raw proxy request mechanism supporting mutating HTTP methods including DELETE, POST, PUT, and PATCH, but provides no guardrails such as confirmation requirements, read-only defaults, or warnings before destructive operations. In a ticketing and event-management context, this could lead an agent to modify or delete live event, attendee, or webhook data without adequate user awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal