Vendasta

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate Vendasta integration, but it gives broad live business-data and API control without enough built-in confirmation guidance for risky changes.

Review this skill before installing if the connected Vendasta account has billing, refund, subscription, workflow, automation, posting, or bulk-edit permissions. Use read-only discovery first, prefer Membrane pre-built actions over raw proxy calls, and require explicit approval before any write, delete, billing, refund, subscription, campaign, workflow, automation, export, or bulk operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill documents raw proxy requests and mutating HTTP methods (POST, PUT, PATCH, DELETE) without requiring confirmation, warning about side effects, or recommending safe defaults. In an agent setting, this increases the chance of unintended record creation, modification, deletion, or other destructive API operations against a live Vendasta tenant.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal