Lattice

Security checks across malware telemetry and agentic risk

Overview

This is a real Lattice/Membrane integration, but it needs review because it can access and change sensitive HR data with broad proxy API capability and limited safety guidance.

Install only if you intend to let an agent use an authorized Lattice account through Membrane. Use the least-privileged Lattice account possible, avoid admin-level access unless necessary, and require explicit approval before exporting employee data, changing goals or updates, or using raw proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description presents broad HR data management capabilities without warning that Lattice commonly contains sensitive employee, performance, and compensation-related information. That omission can cause users or downstream agents to invoke the skill without appropriate caution, increasing the likelihood of overbroad access, unintended disclosure, or unsafe modification of personnel data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy-request section enables arbitrary direct API calls, including POST, PUT, PATCH, and DELETE, but does not warn that these requests may bypass safer prebuilt actions and can perform destructive changes. In an HR system, this increases the risk of accidental record tampering, bulk updates, or deletion of sensitive employee data through overly permissive agent behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal