Miniorange

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed miniOrange integration, but it gives an agent broad authenticated control over a sensitive identity/security service without clear safeguards for mutating requests.

Install only if you trust Membrane as an intermediary for miniOrange administration and intend to let the agent act in that environment. Use a least-privileged account, prefer listed Membrane actions, require explicit approval before POST, PUT, PATCH, or DELETE requests, review endpoints and payloads before execution, and revoke the Membrane connection when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a generic proxy mechanism that supports mutating methods like POST, PUT, PATCH, and DELETE without requiring confirmation or warning about destructive effects. In an agent setting, this increases the risk of unintended data modification or administrative changes against the connected miniOrange tenant, especially when the model falls back to raw requests instead of safer prebuilt actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal