Percy

Security checks across malware telemetry and agentic risk

Overview

This Percy skill is a coherent integration, but it gives an agent broad authenticated Percy API access, including write and delete requests, without explicit confirmation guidance.

Install only if you are comfortable letting an agent operate through your authenticated Percy connection. Prefer prebuilt Membrane actions, use the least-privileged Percy account available, and require explicit approval before any POST, PUT, PATCH, or DELETE proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to use direct proxy requests with full HTTP method support, including POST, PUT, PATCH, and DELETE, without emphasizing that these operations can change or delete live Percy data. In an agent setting, this increases the chance of unintended state-changing actions against a remote service, especially if the agent falls back to raw requests without explicit user confirmation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal