CompanyCam

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate CompanyCam integration, but its permission wording understates some sensitive capabilities such as webhooks and other business-data resources.

Install only if you trust Maton to broker CompanyCam OAuth access and you are comfortable with the full documented API surface. Before approving any write, delete, user-management, connection-management, or webhook action, verify the target account, resource ID, destination URL, and expected effect.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill description says it should be used for projects, photos, users, tags, groups, or documents, but the body also exposes webhook management. That mismatch can cause users or orchestrators to invoke capabilities they were not clearly warned about, expanding the effective action surface beyond the declared scope.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The security section understates scope by claiming access is limited to photos, projects, tags, users, and comments, while the documented API also supports groups, documents, checklists, assigned users, collaborators, labels, and webhooks. Inaccurate scope statements can mislead users into approving actions without understanding the full reach of the connected integration.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal