Font Awesome

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Font Awesome integration, but it gives an agent broad authenticated account access without clear safeguards for changes or deletes.

Install only if you are comfortable letting Membrane act on your Font Awesome account. Ask the agent to use discovered Membrane actions first and to get explicit confirmation before any account, subscription, kit, domain, POST, PUT, PATCH, or DELETE request; consider pinning or verifying the Membrane CLI before installing it globally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents a generic proxy mechanism supporting POST, PUT, PATCH, and DELETE without emphasizing that these requests can change or remove remote data. In an agent context, this increases the risk of unintended destructive actions because the model is given a powerful low-level primitive without clear guardrails around confirmation, scope limitation, or read-only defaults.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal