Wistia

Security checks across malware telemetry and agentic risk

Overview

This Wistia skill is a coherent integration, but it needs review because it gives an agent broad authenticated access to Wistia, including write and delete API calls, without clear confirmation safeguards.

Install only if you trust Membrane and are comfortable granting it Wistia access. Use a least-privileged Wistia account or connection, review npm package provenance, and require explicit confirmation before any create, update, patch, or delete operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents a generic proxy mechanism that supports POST, PUT, PATCH, and DELETE against the Wistia API, but it does not require confirmation or warn about destructive operations. In an agent setting, this increases the chance that the model performs state-changing actions directly and unsafely, especially when prebuilt actions do not exist.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal