CRM Kit

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CRM connector that uses a bearer token to manage CRM records, with sensitive operations described and user confirmation paths documented.

Install only if you want an agent to access and modify CRM data in crmkit. Treat the bearer token like a password, avoid exposing it in chat logs or screenshots, review active tokens periodically, and revoke sessions you no longer use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manual instructs the agent to save a long-lived bearer token and reuse it on every request, but it does not clearly emphasize that the token is a sensitive credential equivalent to account access. In agent environments, cached or echoed tokens can be exposed through logs, tool traces, memory, or downstream prompts, enabling unauthorized CRM access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal