Insomnia

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Insomnia integration, but it gives the agent broad authenticated API authority without clear confirmation rules for changes or deletes.

Install only if you trust Membrane and are comfortable granting it access to your Insomnia account. Prefer discovered Membrane actions over raw proxy requests, use the least-privileged account or workspace practical, and require the agent to show and get approval for any POST, PUT, PATCH, or DELETE request before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly instructs the agent to send direct proxy requests to the Insomnia API, including support for arbitrary methods, headers, query parameters, and request bodies, without requiring user confirmation or warning about data transmission and state-changing effects. In an agent setting, this increases the risk of silent external data disclosure or unintended modifications to remote resources if the model chooses a raw request path too aggressively.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal