ClawHub

Oracle Taleo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Oracle Taleo integration, but it gives an agent broad access to sensitive HR records and direct write/delete API capability without clear safeguards.

Review before installing. Use only a least-privilege Taleo account, confirm every create/update/delete action outside the skill, verify that your organization permits Membrane to handle Taleo data, and revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough that an agent could select this skill for many generic HR or recruiting requests without clearly signaling that it can access or modify sensitive Taleo records. In a system handling applicant and employee data, over-broad routing increases the chance of unnecessary exposure or unintended record changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation does not warn that Oracle Taleo data may include highly sensitive HR and applicant information, such as PII, recruiting decisions, and onboarding data. Without explicit cautions, an agent may retrieve, expose, or modify sensitive records without appropriate user confirmation or least-privilege handling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The proxy request section enables arbitrary API calls, including write or delete operations, but does not instruct the agent to warn the user or confirm dangerous actions first. Because the proxy can bypass safer prebuilt actions and operate directly on Taleo endpoints, misuse could lead to unauthorized data access, corruption, or deletion of sensitive HR records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal