Yapily

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Yapily/Membrane banking integration, but it gives broad financial-data and payment-related authority without enough explicit safety controls.

Review carefully before installing. Only connect accounts you intend the agent to use, verify Yapily/Membrane permissions, and require explicit confirmation before reading sensitive account data, verifying identity, creating beneficiaries, initiating payments, or using the raw proxy for write/delete requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly enables access to highly sensitive banking data and payment initiation capabilities, but it does not include clear operator-facing safety guidance about financial-data sensitivity, consent boundaries, or the risk of triggering real-world financial actions. In a banking context, missing warnings and guardrails materially increase the chance of accidental over-collection of account data, unauthorized payment-related operations, or user confusion about the consequences of executing actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal