Webcrm

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WebCRM integration that uses Membrane to access and manage CRM data, with no hidden executable code in the artifact.

Install only if you trust Membrane and are comfortable connecting your WebCRM account. Use the least-privileged WebCRM account practical, prefer predefined Membrane actions, and review any raw API request before approving create, update, delete, workflow-changing, or bulk operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly exposes a generic proxy request mechanism that supports arbitrary HTTP methods, headers, body data, query parameters, and path parameters against the connected WebCRM API. In a CRM context, this can enable broad read/write/delete operations on sensitive customer and sales data without any built-in requirement for confirmation before destructive or high-impact actions, increasing the risk of accidental or unauthorized modification.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal