Tulimoa

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only connector to Tulimoa’s SaaS/AI tool directory, with the main tradeoff that searches are sent to Tulimoa.

Install this if you want Tulimoa’s curated directory used for SaaS and AI-agent tool recommendations. Avoid using it for sensitive or confidential buying research unless you are comfortable sending those search terms to Tulimoa, and remember that results reflect Tulimoa’s directory rather than the entire market.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation text is overly broad: 'Use this skill whenever the user wants to find, recommend, compare, or research SaaS / AI-agent tools' can match many generic requests that are not specifically about Tulimoa. This can cause the agent to route a wide range of normal research tasks to a third-party remote MCP service unnecessarily, expanding data exposure and reducing user control over when an external service is consulted.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal