Kotive

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Kotive integration, but it gives the agent a broad authenticated API request path without clear confirmation rules for sensitive actions.

Install only if you trust Membrane and intend to let an agent operate your Kotive account. Use least-privileged credentials, prefer predefined Membrane actions, and require explicit approval before any create, update, delete, workflow-changing, or bulk data request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill exposes a generic authenticated proxy request mechanism to the external Kotive API without requiring explicit user confirmation or warning that arbitrary data may be transmitted off-platform. This increases the chance that an agent will send sensitive user or workspace data to third-party endpoints through broad, minimally constrained requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal