Vision6

Security checks across malware telemetry and agentic risk

Overview

This Vision6 skill is coherent, but it gives an agent broad API access that can change or delete marketing data without clear confirmation guidance.

Install only if you want an agent connected to your Vision6 account through Membrane. Before allowing POST, PUT, PATCH, DELETE, or any action that changes contacts, lists, campaigns, automations, reports, or email-related data, require an explicit confirmation and prefer least-privilege Vision6/Membrane access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly documents raw proxy access with mutating methods like POST, PUT, PATCH, and DELETE, but does not require confirmation, scoping, or warn that these calls can modify or delete production marketing data. In a Vision6 context, this could lead to unintended contact changes, campaign alterations, or destructive actions if an agent uses direct requests too freely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal