Placid

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Placid connector skill that uses OOMOL's CLI for template and image actions, with no evidence of hidden or malicious behavior.

Install this only if you intend to connect Placid through OOMOL. Review the oo CLI installer before running the remote install command, and confirm all create/delete payloads before allowing the agent to execute them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The description says to use this skill for "ANY Placid request," covering all reading, creating, updating, and deleting tasks involving Placid. That invocation guidance is very broad and lacks limiting conditions or exclusion examples, increasing the chance of unintended activation for ordinary Placid mentions.

External Script Fetching

High

Category: Supply Chain
Content: - **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>): ```bash curl -fsSL https://cli.oomol.com/install.sh | bash # macOS / Linux ``` ```powershell
Confidence: 90% confidence
Finding: curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal