Workamajig

Security checks across malware telemetry and agentic risk

Overview

This Workamajig skill is purpose-aligned, but it gives an agent broad authenticated access to sensitive business and financial workflows without clear built-in limits or confirmation guidance.

Review before installing. Use a least-privilege or test Workamajig account where possible, avoid giving the agent broad admin access, and manually approve any write, delete, payment, invoice, purchase, accounting, permission, or bulk workflow action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs use of direct proxy requests with mutating HTTP methods like POST, PUT, PATCH, and DELETE, but does not warn that these operations can alter or transmit real external data. In an agent setting, this increases the chance of unintended state changes in the user's Workamajig environment because the model is given a ready path to perform writes without requiring confirmation safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal