Worksnaps

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Worksnaps integration, but it needs review because it gives an agent broad authenticated access to employee time-tracking data without clear safeguards for changes or deletions.

Review before installing. Use a least-privilege Worksnaps account where possible, confirm that Membrane is an acceptable intermediary for employee time-tracking data, and require explicit approval before any non-GET request or raw proxy command that could create, update, or delete Worksnaps records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents a generic proxy mechanism that supports POST, PUT, PATCH, and DELETE against the Worksnaps API without any safety guidance, confirmation requirements, or read-only defaults. In an agent setting, this increases the chance of accidental or unauthorized state-changing operations on employee, project, or time-tracking data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal