Google My Business

Security checks across malware telemetry and agentic risk

Overview

This Google My Business skill is mostly transparent, but it gives an agent broad ability to change or delete business listing data without explicit safety guidance.

Install only if you trust Membrane and intend to let an agent manage a specific Google Business account. Review the OAuth permissions, use the least-privileged account available, prefer listed actions over raw proxy requests, and require explicit approval before any create, update, delete, answer, post, or direct API proxy operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly exposes destructive capabilities such as deleting locations and deleting place action links, but it provides no guidance to require user confirmation, scoped authorization, or safeguard checks before execution. In an agent setting, this increases the risk that a misunderstood prompt, unsafe automation flow, or prompt injection from upstream content could trigger irreversible business-impacting actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal