Engageats

Security checks across malware telemetry and agentic risk

Overview

This is a coherent EngageATS integration, but it gives broad authenticated access to sensitive recruiting data without clear write/delete safeguards.

Install only if you trust Membrane and are comfortable granting it access to EngageATS. Use a least-privileged account, prefer listed Membrane actions over raw proxy calls, and require clear user approval before creating, updating, deleting, or bulk-changing recruiting records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents a generic proxy capability that supports arbitrary API paths and mutating HTTP methods without any safety guidance about external data transmission, record changes, or confirmation before writes. In an ATS context, this could lead an agent to update, delete, or exfiltrate sensitive candidate and hiring data through raw requests that bypass safer, more constrained actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal