Workday
Security checks across malware telemetry and agentic risk
Overview
The skill appears to be a legitimate Membrane-based Workday connector, but it exposes broad delegated access to sensitive HR/payroll data without clear action-scoping or approval safeguards.
Install only if you intend to use Membrane as the broker for Workday access. Pin or verify the Membrane CLI source, connect a least-privileged Workday account, and require explicit confirmation before any action that changes employee, compensation, payroll, financial, or organizational data.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With a connected Workday account, the agent could select powerful Workday actions affecting sensitive employee or financial records if prompted or mis-invoked.
The skill pairs sensitive HR/payroll/financial systems with broadly selected Workday actions, but the provided instructions do not set clear read/write limits or require confirmation before high-impact actions.
Workday ... manage human resources, payroll, and financial planning. ... Use action names and parameters as needed.
Use least-privileged or read-only Workday access where possible, and require explicit user confirmation before any create, update, delete, payroll, compensation, or personnel-change action.
The skill is not credential-free in practice; it relies on the permissions of the Workday/Membrane account the user connects.
Delegated Membrane/Workday authentication and token refresh are expected for this integration, but they give the connected account authority over Workday data.
membrane login --tenant --clientName=<agentType> ... Membrane handles authentication and credentials refresh automatically
Connect only an account with the minimum Workday permissions needed, review granted scopes, and revoke the connection when it is no longer needed.
The behavior of the installed CLI may change over time as npm publishes new versions.
The setup uses a globally installed npm package at the moving 'latest' tag; this is central to the Membrane workflow but not pinned to a reviewed version.
npm install -g @membranehq/cli@latest
Install from the official package source, consider pinning a known-good CLI version, and review package provenance before use.
A connector response could influence the agent's next steps during setup or reconnection.
The skill allows provider-returned connection state to supply instructions to the agent; this can be useful for setup, but those instructions should not override the user's goal or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as bounded setup hints, and keep user confirmation for sensitive Workday or account actions.
Workday connection metadata and API interactions may depend on Membrane's service and security practices.
A third-party Membrane connector is in the path between the agent and Workday, including authentication handling; this is disclosed and purpose-aligned but still a sensitive data boundary.
This skill uses the Membrane CLI to interact with Workday. Membrane handles authentication and credentials refresh automatically
Review Membrane's access, logging, and data-handling policies before connecting production Workday data.
A user may underestimate that connecting Workday can expose employee, compensation, and financial-planning data.
The description mixes CRM-like objects with Workday HR/payroll scope, which could make the sensitive nature of the integration less obvious.
description: ... Manage Organizations, Deals, Leads, Projects, Pipelines, Goals and more. ... Workday ... manage human resources, payroll, and financial planning.
Clarify the registry description and user-facing setup text to state the exact Workday domains and sensitivity level involved.