Armoryio

Security checks across malware telemetry and agentic risk

Overview

This Armory.io skill is a coherent integration, but it gives an authenticated agent broad control over deployment and account data without clear safety boundaries.

Install only if you trust Membrane and the npm-distributed Membrane CLI. Use a dedicated least-privilege Armory.io account or connection, review the requested scopes, and require explicit confirmation before any deployment, workflow, role, secret, credential, policy, access-control, POST, PUT, PATCH, or DELETE action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to send direct proxy requests to the Armory.io API without requiring a user-facing warning or confirmation that data will be transmitted to an external service. In practice, this can lead to unreviewed transfer of sensitive operational, security, or repository data to a connected SaaS platform, especially because the skill also encourages broad API usage when built-in actions do not suffice.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal