Very Good Security

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Very Good Security integration, but it gives an agent broad authenticated account access without enough built-in safeguards for sensitive or destructive operations.

Install only if you are comfortable letting an agent operate through Membrane against your VGS account. Use a least-privilege Membrane/VGS account, prefer discovered Membrane actions over raw proxy requests, and require explicit approval before any write, delete, billing, user, team, route, or API-key operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly enables arbitrary proxy requests to the Very Good Security API, including support for all major HTTP methods, custom headers, and raw bodies, but it does not instruct the agent to confirm destructive operations or avoid sending sensitive payloads unnecessarily. In a security/data-handling integration, this increases the risk of accidental data exposure, unauthorized modification, or destructive API use if an agent acts too broadly from a user prompt.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal