Tyk

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Tyk integration using Membrane for authenticated API access, with caution needed because it can send live write-capable API requests.

Install only if you want an agent to work with your Tyk environment through Membrane. Prefer read/list actions first, and require explicit user confirmation before any POST, PUT, PATCH, or DELETE request because those may change or delete live Tyk APIs, policies, users, quotas, or related configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents authenticated proxy requests and action execution that can issue arbitrary state-changing API operations against a live Tyk environment, but it does not warn the agent or user about the risk of modifying production APIs, policies, users, or quotas. In an agent setting, this increases the chance of unintended destructive or high-impact changes being performed without explicit confirmation or safety guardrails.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal