Gong

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Gong integration, but it grants broad access to sensitive Gong data and possible record changes without enough built-in scoping or confirmation guidance.

Install only if your organization permits Membrane to mediate Gong access. Use the least-privileged Gong connection available, confirm every create/update or raw proxy request before it runs, avoid broad transcript or bulk exports unless clearly needed, and consider pinning or reviewing the Membrane CLI version before global installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill explicitly encourages direct proxying to the Gong API when prebuilt actions are insufficient, but it does not warn that Gong data can include highly sensitive business communications, transcripts, customer details, and deal information. In an agent setting, this can lead to over-broad data transmission or retrieval without adequate minimization, user awareness, or guardrails around sensitive endpoints.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal