Zephyr Squad Legacy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zephyr Squad Legacy integration that can manage testing records through Membrane, including updates and deletes, so it should be used carefully but does not show malicious behavior.

Install this only if you trust Membrane and intend to let an agent work with the connected Zephyr/Jira data. Use least-privileged access where possible, verify target projects, cycles, executions, and test steps before changes, and require explicit confirmation before create, update, delete, or raw proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises destructive actions such as deleting executions and test cycles without requiring or even recommending confirmation, dry-run behavior, or explicit user consent. In an agentic context, that omission increases the chance of accidental data loss or unauthorized state changes if the agent acts on ambiguous prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal