ClawHub

Loomio

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Loomio read-only connector, with a few setup and scoping cautions but no evidence of hidden, destructive, or data-exfiltrating behavior.

Install only if you trust OOMOL to broker your Loomio connection and to provide the `oo` CLI. Expect the skill to read Loomio poll data available to the connected account. Treat the curl/PowerShell installer as privileged local code and prefer reviewing OOMOL's official install instructions before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The file states under Safety that create, update, send, post, delete, or remove actions may be available and require confirmation, but the Available actions section lists only `get_poll` and `list_polls`, both read operations. This documentation implies broader state-changing capabilities than the skill actually exposes in this file.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The description says to use this skill for "ANY Loomio request" and "Whenever a task involves Loomio," which is extremely broad and lacks clear boundaries for when the skill should or should not activate. There are no negative examples or scope constraints to prevent unintended invocation from ordinary references to Loomio.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
90% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal