Winston Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Winston AI integration that uses Membrane for authentication and API access, with no evidence of hidden or unrelated behavior.

Install this only if you trust Membrane and are comfortable connecting a Winston AI account. Prefer discovered Membrane actions over raw proxy requests, review any text or documents before sending them, require explicit confirmation for POST, PUT, PATCH, DELETE, or bulk requests, and revoke the Membrane/Winston AI connection when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to send direct proxy requests to the external Winston AI API, but it does not warn that user-provided content may be transmitted to a third-party service. This can lead to unintentional disclosure of sensitive text, documents, or metadata if the agent proxies user data without clear notice or consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal