Plate Recognizer

Security checks across malware telemetry and agentic risk

Overview

This Plate Recognizer skill is mostly coherent, but it gives an agent broad authenticated API access to manage sensitive ALPR resources without clear guardrails for state-changing requests.

Install only if you want an agent to access and administer your Plate Recognizer account through Membrane. Use the least-privileged account available, prefer listed Membrane actions over raw proxy calls, and require explicit confirmation before any create, update, or delete operation involving vehicles, cameras, regions, users, or alerts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill documents a generic proxy mechanism that supports GET, POST, PUT, PATCH, and DELETE against the external API without any guidance about confirmation, read-only defaults, or destructive side effects. In a skill that manages vehicles, cameras, regions, users, and alerts, this can enable unintended state-changing or destructive operations if the agent uses raw requests too freely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal