Have I Been Pwned

Security checks across malware telemetry and agentic risk

Overview

The skill is for legitimate Have I Been Pwned lookups, but users should review it because setup can run a remote installer script and it sends sensitive identifiers through an external connector.

Install only if you trust OOMOL's CLI and connector service with HIBP API access. Prefer the documented installer or a verified package over the embedded pipe-to-shell commands, and confirm before querying other people's email addresses or subscription details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The instruction to use this skill for ANY Have I Been Pwned request is an overly broad routing trigger that can cause the agent to invoke the skill whenever HIBP is merely mentioned, even when direct use is unnecessary or the user did not intend connector-backed execution. In a security/privacy context, unintended invocation increases the chance of querying sensitive identifiers such as email addresses through an external service without sufficiently explicit user intent.

External Script Fetching

High

Category: Supply Chain
Content: - **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>): ```bash curl -fsSL https://cli.oomol.com/install.sh | bash # macOS / Linux ``` ```powershell
Confidence: 97% confidence
Finding: curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal