Veeva Vault

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Veeva Vault integration, but it gives an agent broad authenticated power to change or delete sensitive business records without clear safety guardrails.

Install only if you are comfortable allowing an agent, through Membrane, to access and modify Veeva Vault data. Use a least-privilege Vault account, require explicit confirmation before writes or deletes, verify target document or record IDs, and prefer curated Membrane actions over raw proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises destructive actions such as deleting documents and object records without any explicit requirement for user confirmation, dry-run behavior, or safety checks. In an agentic context, this increases the risk that a vague or misinterpreted prompt could cause irreversible data loss in a regulated enterprise system.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal