Formdesk

Security checks across malware telemetry and agentic risk

Overview

This Formdesk skill is a coherent integration, but it gives an agent broad authenticated authority to create, update, delete, export, download, and proxy Formdesk data without clear confirmation guardrails.

Install only if you trust Membrane and intend to let an agent operate on your Formdesk account. Use the least-privileged Formdesk account available, review every target resource before create/update/delete/export/download/proxy actions, and revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill explicitly lists destructive capabilities such as deleting users, visitors, and form results, but provides no guidance to require user confirmation, authorization checks, or safer read-only defaults before invoking them. In an agentic setting, this increases the chance of accidental or overly autonomous destructive actions that could lead to data loss or account disruption.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal