ClawHub

Bamboohr

Security checks across malware telemetry and agentic risk

Overview

This is a real BambooHR integration, but it gives an agent broad access to sensitive HR records and write-capable API calls without enough built-in approval guidance.

Install only if Membrane is approved for your organization’s BambooHR data. Use a least-privilege BambooHR connection, prefer listed Membrane actions over raw proxy requests, and require explicit review before creating, updating, deleting, exporting, or reporting on HR records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents raw proxy requests and data-modifying operations against a highly sensitive HR system without guardrails, confirmation requirements, or warnings about handling employee PII and destructive changes. In context, this increases the chance an agent will perform broad reads or writes to payroll, employee, applicant, or time-off data with insufficient user validation, causing confidentiality or integrity harm.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal