Serwersmspl

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real SerwerSMS.pl integration, but it gives agents broad authenticated SMS and contact-management power without clear confirmation safeguards.

Install only if you intend to let an agent operate a SerwerSMS.pl account through Membrane. Use the listed Membrane actions where possible, connect only the intended account, and require explicit confirmation before any send, schedule, update, delete, bulk contact, or raw proxy operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill description is broad enough to match many generic requests about managing data or automating workflows, which can cause the agent to invoke this integration outside the user's precise intent. In a messaging platform context, accidental invocation can expose contacts, message history, or trigger SMS-related operations that carry privacy and financial consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation enables direct action execution and raw proxy requests, including arbitrary HTTP methods, without emphasizing confirmation requirements for write, delete, send, or schedule operations. In this skill's context, those capabilities could send SMS/MMS/VMS messages, alter contact lists, or change records, leading to unauthorized communications, data modification, compliance issues, and direct monetary cost.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal