Bump

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed Membrane-based app integration, with a broad raw API fallback that users should treat carefully but not as hidden or malicious behavior.

Before installing, connect only accounts whose data you are comfortable managing through Membrane. Prefer listed Membrane actions, and ask the agent to confirm the endpoint, HTTP method, and intended effect before any POST, PUT, PATCH, or DELETE proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation encourages direct proxy requests to the external API without clearly warning that these requests may perform destructive or state-changing operations. In an agent setting, this increases the chance that a model issues unsafe POST/PUT/PATCH/DELETE requests or targets sensitive endpoints without user awareness or confirmation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal