Confluence

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Confluence integration skill, but it can access and modify content in the linked workspace.

Install only if you trust the MorphixAI plugin and are comfortable granting agent access through the linked Confluence account. Use the least-privileged account or workspace possible, follow your organization's approval rules, and require explicit confirmation before creating, updating, labeling, commenting on, or deleting shared pages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents update and delete operations for Confluence pages without warning that these actions can irreversibly modify or remove workspace content. In an agent setting, missing destructive-action warnings increases the chance of accidental data loss or unsafe automation, especially because the tool exposes direct CRUD capabilities over real organizational documentation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to link a Confluence account and provide an API key, but does not warn that this grants the agent access to potentially sensitive workspace pages, comments, and metadata. Without a privacy and data-handling notice, users may not appreciate the scope of accessible corporate information or the risks of exposing confidential documents through agent-driven queries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal