Cornerstone Talentlink

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Cornerstone TalentLink connector, but it can let an authenticated agent change sensitive recruiting records without clear confirmation guardrails.

Install only if you trust Membrane and intend to let an agent work with Cornerstone TalentLink. Use a least-privileged TalentLink account, review the permissions granted, and require the agent to show and confirm any create, update, delete, workflow, or raw proxy request before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The invocation condition is broad enough to trigger on many generic requests involving data, records, or workflows, which can cause the skill to activate outside narrowly intended Cornerstone TalentLink tasks. Overbroad routing increases the chance an agent uses this network-enabled integration inappropriately, exposing external systems or causing unintended actions in the wrong context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal