Alchemer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Alchemer integration with broad write and proxy capabilities, but no hidden or malicious behavior was found.

Install only if you trust Membrane and are comfortable granting it access to Alchemer. Use a least-privileged Alchemer account, verify the Membrane CLI package before installing, and require explicit approval before create, update, delete, or raw proxy API requests against production data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents write-capable actions and raw proxy requests without requiring user confirmation, read-only defaults, or warnings about destructive side effects. In an agent setting, this increases the chance of unintended record creation, modification, or deletion through natural-language prompts or misinterpreted tasks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal