Code Dx

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Code Dx integration, but it grants broad authenticated API control over sensitive vulnerability-management data without clear guardrails for state-changing actions.

Install only if you trust Membrane and intend to let an agent work with your Code Dx environment. Use a least-privilege Code Dx account, review discovered actions and proxy endpoints before use, and require explicit confirmation before any operation that creates, updates, or deletes projects, findings, comments, users, licenses, or other Code Dx records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The top-level description, 'Use when the user wants to interact with Code Dx data,' is broad enough to match many vague enterprise or security-data requests. In an agentic environment, overly broad routing language can cause the skill to be selected in situations the user did not specifically intend, increasing the chance of unnecessary external access, data exposure, or unintended actions against a live Code Dx instance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal