Rewardful

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Rewardful integration guide that uses Membrane for authenticated account access, with no hidden code or persistence found.

Install this only if you want an agent to work with your Rewardful account through Membrane. Keep the Membrane connection scoped to the Rewardful workspace you intend to manage, and require explicit approval before any non-read action or raw proxy request that could change affiliates, customers, subscriptions, commissions, settings, or payout-related data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents a generic proxy mechanism that supports POST, PUT, PATCH, and DELETE against the Rewardful API without also requiring confirmation for state-changing operations. In an agent context, this increases the chance of unintended writes, deletions, or configuration changes if the model infers a mutating request from ambiguous user input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal