Flyio

Security checks across malware telemetry and agentic risk

Overview

This Fly.io skill is instruction-only and purpose-aligned, but it gives an agent broad cloud-management power without clear confirmation safeguards for destructive or raw API actions.

Install only if you trust Membrane and intend to let an agent manage Fly.io resources. Use the least-privileged Fly.io account available, review the exact organization/app/machine/volume/secret before any change, and require explicit confirmation before deletes, secret updates, machine updates, or raw proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises destructive actions like deleting apps, machines, volumes, and secrets without any warning, safeguards, or requirement for explicit confirmation. In an agent setting, this increases the chance that a model could execute irreversible operations from ambiguous user prompts or inferred intent, causing service disruption or data loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal