Back to skill

Security audit

Ocean Io

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Ocean.io prospecting connector, but it can use an Ocean.io API token to spend credits and export company or contact lists.

Install only if you intend to let your agent use your Ocean.io account for prospecting. Use a revocable or limited API token if available, approve searches and exports only with clear record counts and credit costs, and avoid exporting or using personal contact data unless your organization has authorization and a lawful business basis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly enables searching for and exporting identifiable people/contact data, but it does not provide any privacy, lawful-basis, consent, or acceptable-use guidance. In a prospecting/export workflow, this omission can lead operators to collect or distribute personal data in ways that violate internal policy or privacy regulations, especially because the skill normalizes bulk export of contacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.