Nginx

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Membrane-based integration that can manage app data, including via raw API proxy calls, but the capability is purpose-aligned and not hidden or automatic.

Install only if you trust Membrane and are comfortable connecting a Zoho Cliq account. Prefer listed Membrane actions first, and require clear user intent before using raw proxy requests that create, update, or delete data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly documents a generic proxy mechanism that supports state-changing methods like POST, PUT, PATCH, and DELETE, but it does not require confirmation or warn about operational impact before mutating an NGINX-backed system. In an infrastructure context, this can lead an agent to perform destructive or configuration-changing actions against production services without clear user intent validation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal