Wepay

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WePay integration, but it enables broad authenticated payment API actions without clear confirmation rules for money-moving or account-changing operations.

Install only if you intend to connect a WePay account through Membrane. Use sandbox or least-privilege credentials where possible, verify the Membrane CLI package before installing, and require explicit confirmation before any payment, refund, withdrawal, delete, or account-modifying action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents a generic request mechanism supporting POST, PUT, PATCH, and DELETE against a payment platform API, but it does not require confirmation, authorization checks, or warn about the risk of modifying financial records. In a payments context, raw proxy access materially increases the chance of unintended refunds, account changes, or destructive state changes if an agent acts on ambiguous prompts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal