Ovhcloud

Security checks across malware telemetry and agentic risk

Overview

This OVHcloud skill is legitimate in purpose, but it gives an agent broad authenticated cloud-management ability without enough guardrails for changing or deleting infrastructure.

Install only if you trust Membrane with OVHcloud access. Use a least-privilege OVHcloud account, prefer predefined Membrane actions, and require explicit approval before any create, update, delete, order, or production-impacting request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill explicitly documents direct proxy requests with mutating HTTP methods like POST, PUT, PATCH, and DELETE, but does not warn the agent to confirm user intent before performing data-changing or destructive operations. In an agent setting, this increases the risk of accidental infrastructure modification or deletion if a loosely specified request is interpreted too aggressively.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal