ClawHub

Tomba

Security checks across malware telemetry and agentic risk

Overview

The Tomba skill is mostly purpose-aligned, but its setup guidance includes unverified remote script execution, so users should review it before installing.

Review the setup path before installing. Use the skill only if you are comfortable connecting a Tomba account through OOMOL and sending contact or company lookup inputs to that service. Prefer installing the oo CLI through verified official packages or documented manual steps rather than blindly running pipe-to-shell installer commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction to use this skill for "ANY Tomba request" is overly broad and can route all Tomba-related tasks through a shell-capable skill without defining clear boundaries on what operations are appropriate. In context, the listed actions are mostly read/search operations, which lowers the risk somewhat, but the trigger still encourages indiscriminate invocation and reduces opportunities for narrower, safer handling.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly instructs users to send an email address to the external Tomba service to verify deliverability and retrieve metadata, but it provides no privacy notice, consent guidance, or data-handling caveats. This can lead to unintentional disclosure of personal data to a third party, which is a real privacy/security issue even though it is not an exploit-oriented vulnerability.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
97% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal