Security audit

OpenMerch People Enrichment

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid OpenMerch integration that enriches one person profile at a time and returns sensitive contact data only as its stated purpose.

Install only if you intend to send Apollo person IDs to OpenMerch, have a lawful basis to process the returned personal contact data, and accept that each enrichment can spend OpenMerch credits. Keep the API key private and use the default OpenMerch API URL unless you deliberately trust another endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: - OPENMERCH_API_KEY anyBins: - node - curl envVars: - name: OPENMERCH_API_KEY required: true
Confidence: 60% confidence
Finding: curl envVars: - name: OPENMERCH_API_KEY required: true description: >- Your OpenMerch agent API key (om_live_...). Get it from the Developer page in the O

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal