Orbisx

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OrbisX integration, but it gives an agent broad authenticated power over business data without clear safeguards for write or delete actions.

Install only if you trust Membrane and intend to let an agent access your OrbisX tenant. Use the least-privileged account available, prefer read-only/query actions first, and require explicit confirmation before any delete, payment, invoice, messaging, user, permission, or other irreversible operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill explicitly documents running actions and sending direct proxy requests against a live OrbisX tenant, including methods such as POST, PUT, PATCH, and DELETE, without guardrails like confirmation requirements, read-only defaults, or warnings about production data changes. In an agent setting, this increases the risk of accidental destructive operations, unauthorized data modification, or irreversible business-impacting changes caused by ambiguous prompts or agent mistakes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal