Security audit

Loomal Skill

Security checks across malware telemetry and agentic risk

Overview

This skill clearly discloses that it connects an agent to Loomal mail, vault, calendar, identity, and payment tools, with scope-gated keys and confirmation guidance for sensitive actions.

Install only if you want an agent to use Loomal for mail, credential vault, calendar, identity, and payment workflows. Use narrow per-task API keys, review granted scopes carefully, confirm the active identity before sensitive work, and treat payment, public calendar, deletion, and credential-use requests as actions that deserve explicit review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes capabilities that handle highly sensitive data and actions—email access, encrypted credential storage, live 2FA retrieval, public calendar exposure, and payments—but does not pair these with explicit user-facing risk warnings or safe-use guidance at the point of description. In an agent context, this omission matters because users may enable broad scopes or ask for actions like making calendars public or storing secrets without appreciating the privacy and integrity consequences, increasing the chance of accidental overexposure or misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal