Meegle API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Meegle API documentation skill, but it gives agents broad business-data read/write/delete guidance without enough confirmation and scoping safeguards.

Install only if you want an agent to operate Meegle with the permissions of your plugin or user token. Use least-privilege Meegle credentials, restrict plugin data scope, avoid unscoped cross-space searches, and require explicit confirmation before any delete, replace, batch update, membership change, workflow/template change, or attachment removal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents a DELETE endpoint for removing relationship settings but does not prominently warn that the action is destructive, may be irreversible, and can affect downstream configuration or workflows relying on that relation_id. In an agent setting, this omission increases the chance of accidental destructive changes if a user request is ambiguous or the agent acts without explicit confirmation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The update API is described as an overwrite operation, but the skill does not present a strong safety warning that omitted relation_details or name values will replace the existing configuration rather than merge with it. In practice, an agent or user could unintentionally erase relationship targets by sending a partial update, causing configuration loss or broken associations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill documents update and delete operations that can modify or remove workflow templates, but it does not explicitly warn the agent or end user about destructive impact, irreversibility, or the need for confirmation before execution. In an agent setting, this omission increases the chance of accidental administrative changes being carried out from ambiguous or overly broad user requests.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a destructive membership-modification API that can add, delete, or fully replace group members, but it does not instruct the agent to require explicit user confirmation, preview the exact changes, or warn about side effects. In an agent setting, this increases the risk of unintended privilege and membership changes, especially because deleting space members can implicitly remove them from other user groups.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill exposes a destructive `delete_views` operation that can remove fixed, conditional, or panoramic views, but it does not include an explicit warning to the agent to confirm user intent before execution. In an agent setting, this increases the risk of accidental or ambiguous deletion requests being carried out, causing loss of configuration or operational disruption even if the underlying API enforces authentication and authorization.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a delete_attachment API that can permanently remove one or more files from a work item, but it provides no guidance to confirm user intent, warn about irreversible deletion, or encourage safer alternatives. In an agent setting, this omission increases the risk of accidental or overly broad destructive actions being executed from ambiguous prompts or automation mistakes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a destructive DELETE/unbind capability without instructing the agent to require explicit user confirmation or to warn that the action will remove cross-space associations. In an agent setting, this increases the risk of accidental or over-broad state changes, especially because the notes say optional identifiers may be omitted and behavior may vary, which can make the deletion scope ambiguous.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The cross-space listing API explicitly states that if project_keys and simple_names are omitted, it queries all spaces where the plugin is installed and the user has permission. Because the skill presents this as normal behavior without a strong privacy/scope warning, an agent or user may unintentionally perform organization-wide data enumeration, exposing metadata and work item contents beyond the intended project scope.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The full-text search usage notes describe searching across multiple spaces but do not warn that results can include data from every specified space, potentially surfacing sensitive titles, descriptions, or related fields. In an agent context, broad keyword searches are easy to trigger and can unintentionally aggregate information across projects, increasing privacy and data-minimization risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal