ClawHub

Yespo

Security checks across malware telemetry and agentic risk

Overview

This Yespo integration is coherent, but it gives agents broad marketing-platform authority without clear confirmation rules for sends, writes, deletes, or automation changes.

Install only if you trust Membrane with your Yespo connection and are comfortable with an agent potentially accessing customer, order, campaign, and messaging data. Before use, require the agent to summarize targets and expected effects, and give explicit approval before sending messages, changing contacts or campaigns, deleting records, exporting data, or triggering automations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broadly scoped ('manage data, records, and automate workflows') and can trigger for many Yespo-related requests without clarifying limits, approval boundaries, or safe/read-only defaults. In a platform that can access customer data, campaigns, contacts, orders, and messaging, this increases the chance the agent will invoke the skill for privacy-impacting or destructive operations without sufficient user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions describe running actions and proxying arbitrary API requests but do not require warning the user or obtaining confirmation before operations that may send messages, modify records, trigger automations, or expose personal data. Given Yespo's scope includes contacts, campaigns, SMS, email, orders, and loyalty data, omission of consent/confirmation safeguards creates a real risk of unauthorized outbound communications, data changes, or privacy violations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal