Amcards

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate AMcards integration, but it gives an agent broad authenticated power to delete contacts and send campaigns without clear confirmation rules.

Install only if you want an agent to manage your AMcards account through Membrane. Before allowing deletes, sends, or raw proxy requests, require the agent to identify the exact contacts, recipients, campaign/card content, request method/path, and expected effects, then wait for explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises a destructive 'Delete Contact' capability without any guidance to require explicit user confirmation or to distinguish preview/read actions from irreversible mutations. In an agent setting, that increases the risk of unintended deletion from ambiguous prompts, mistaken entity selection, or over-eager automation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The proxy request section enables arbitrary authenticated API calls, including write and delete operations, but provides no safety guidance, allowlisting, or confirmation requirements. In practice, this can let an agent perform powerful state-changing operations outside vetted actions, increasing the chance of data loss, unauthorized changes, or misuse through prompt ambiguity.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal