ClawHub

Tisane

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Tisane connector skill; its main risk is a conditional OOMOL CLI installer command, not hidden or malicious behavior.

Install if you are comfortable sending text to Tisane through OOMOL and connecting a Tisane API key. If the oo CLI is not already installed, review the OOMOL installer source or use a trusted installation method before running the suggested remote installer command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
98% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal