Dealersocket

Security checks across malware telemetry and agentic risk

Overview

This CRM integration is mostly transparent, but it gives an agent broad ability to change business records through raw API requests without clear confirmation safeguards.

Install only if you trust the publisher and are comfortable giving the agent CRM write access through Membrane. Use a least-privilege CRM account where possible, prefer the prebuilt actions, and explicitly require confirmation before any create, update, or delete operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents raw proxy access and supports state-changing methods like POST, PUT, PATCH, and DELETE without requiring confirmation, approval gates, or warning about data modification. In a CRM context, this could enable unintended creation, alteration, or deletion of customer, deal, task, or appointment records if an agent acts too aggressively or misinterprets a prompt.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal