Khoros Marketing

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Khoros Marketing integration, but it gives an agent broad authenticated API control without clear confirmation rules for changes or deletions.

Install only if you trust Membrane and intend to let an agent operate on Khoros Marketing data. Use the least-privileged Khoros account available, prefer discovered Membrane actions over raw proxy calls, and require explicit approval before any request that posts, edits, deletes, moderates, or changes campaigns, assets, records, or settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly recommends direct proxy requests and documents mutating HTTP methods (POST, PUT, PATCH, DELETE) without requiring confirmation, scoping guidance, or warning about destructive effects. In an agent setting, this can normalize unsafe raw API usage and increase the chance of unintended data modification, deletion, or broad changes to marketing assets and records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal