Thanksio

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Thanks.io integration, but it gives an agent account-changing and potentially costly powers without clear confirmation guardrails.

Install only if you are comfortable connecting a Thanks.io account through Membrane. Before allowing the agent to send mail or gift cards, cancel orders, delete mailing lists, or modify recipients, require it to show the exact action, recipients, costs or gift card amounts, and affected records, then ask for explicit confirmation. Consider pinning or reviewing the Membrane CLI source/version and revoke the Membrane/Thanks.io connection when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill advertises destructive operations such as canceling orders and deleting recipients or mailing lists without instructing the agent to require explicit user confirmation or summarize consequences first. In an agentic context, that increases the chance of unintended destructive actions against live customer, campaign, or order data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal