Jiminny

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Jiminny integration, but it gives an agent broad authenticated access to sensitive sales-call data through a raw API proxy without enough guardrails.

Install only if you intend to let the agent access Jiminny through Membrane. Use the least-privileged Jiminny account available, prefer listed Membrane actions over raw proxy calls, require explicit approval before create/update/delete or bulk operations, avoid sending unnecessary transcript or recording content, and revoke the Membrane connection when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill encourages direct proxy requests to the Jiminny API without explicitly warning that these requests may include sensitive sales-call recordings, transcripts, snippets, comments, or customer-related data. In a conversation-intelligence context, this omission raises the risk of over-collection, unintended transmission, or mishandling of sensitive business and personal information.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal