ClawHub

Workday Soap

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Workday/Membrane integration, but it can reach much broader sensitive Workday data than the narrow organization-management description suggests.

Install only if you intend to let an agent work with Workday through Membrane. Use a least-privilege or test Workday account, confirm Membrane is approved for your organization, avoid broad raw proxy calls unless explicitly reviewed, and require human approval before accessing worker, compensation, payroll, finance, security, account, or mutating operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and top-level description constrain the skill to 'Manage Organizations,' but the body documents access across a much broader set of Workday domains, including workers, compensation, payroll, security, audit logs, and user accounts. This scope mismatch can mislead users and downstream policy systems into authorizing a skill that in practice enables much broader access to sensitive enterprise data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The 'Popular actions' section includes operations such as worker data, compensation plans, time-off balances, positions, and job profiles, which exceed the stated organization-management purpose. In a security-sensitive environment, this discrepancy increases the chance of overbroad use and unintended access to HR and payroll-adjacent data under a narrower-seeming skill label.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The proxy request feature permits direct arbitrary requests to Workday SOAP endpoints, effectively bypassing the narrower, discoverable action model and enabling access far beyond organization management. Because Workday commonly contains highly sensitive HR, payroll, identity, and audit data, arbitrary proxied requests materially increase the risk of unauthorized data retrieval or misuse if the skill is invoked under an overly broad trust assumption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to run networked queries and raw proxy requests against Workday without clearly warning that these actions may access or transmit sensitive HR, payroll, organizational, and identity data. Lack of disclosure reduces informed consent and may cause users or agents to invoke the skill in contexts where sensitive enterprise data handling requires stricter review or approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal