Upayments

Security checks across malware telemetry and agentic risk

Overview

This is a real payment-service integration, but it gives an agent broad authenticated access to change or delete payment-related records without clear confirmation safeguards.

Install only if you trust Membrane and intend to grant access to the target UPayments account. Use the least-privileged account or scopes available, prefer listed Membrane actions over raw proxy calls, and require explicit confirmation before any POST, PUT, PATCH, DELETE, refund, invoice, customer, product, subscription, or payment-changing operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly documents raw proxy requests with mutating HTTP methods like POST, PUT, PATCH, and DELETE, but does not instruct the agent to confirm user intent before performing state-changing operations. In a payments context, this increases the risk of accidental or overly broad modifications to financial records, invoices, products, or customer-related data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal