Back to skill

Security audit

Tomba Contact Intelligence

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Tomba integration for contact lookup and enrichment, with expected credential use and no hidden execution behavior.

Install only if you intend to use Tomba for contact intelligence and have authority to process the contact data you submit. Treat names, emails, phone numbers, LinkedIn URLs, and lead details as data that may be sent to Tomba, follow applicable privacy laws and platform terms, and manage or rotate the Tomba API keys if access is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes contact discovery, email guessing, enrichment, phone lookup, and competitor intelligence over third-party individuals' data, but it provides no privacy, consent, acceptable-use, or legal-compliance guidance. In a skill specifically built to facilitate collection and enrichment of personal/business contact data, that omission materially increases the risk of misuse for unauthorized profiling, scraping, or outreach workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs use of external Tomba lookup tools on personal identifiers such as names, emails, phone numbers, LinkedIn URLs, and article URLs, but it does not warn that this data will be transmitted to a third-party service or may involve personal contact data. This can cause inadvertent privacy, consent, and compliance issues because users may provide sensitive personal data without understanding the external disclosure.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.