Zoho Bugtracker

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Zoho Bugtracker integration, but it gives an agent broad authenticated power to change or delete project data without clear safety checks.

Install only if you are comfortable granting Membrane-mediated access to your Zoho Bugtracker account. Use a least-privileged Zoho account where possible, verify the Membrane CLI package before installing, and require the agent to show the exact target and input before any create, update, delete, or raw proxy request is run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises delete actions for bugs, projects, and milestones without any warning, confirmation, or requirement to verify user intent. In an agent setting, this can lead to accidental or over-broad destructive operations, especially if the model misinterprets a request or selects an unsafe action autonomously.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The proxy request feature enables arbitrary API calls through an authenticated connection, but the documentation does not warn about sending sensitive data, mutating endpoints, or the risks of free-form paths and payloads. This broad capability increases the attack surface and could enable unintended data exposure or dangerous writes if used without validation and least-privilege guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal