Security audit

BambooHR

Security checks across malware telemetry and agentic risk

Overview

This BambooHR skill is a disclosed read-only connector for employee and company data, with no artifact evidence of hidden, destructive, or exfiltrating behavior.

Install only if you want your agent to read BambooHR data through OOMOL. BambooHR employee data can be sensitive, so confirm your OOMOL connection scopes and avoid using broad employee-list actions unless the user request really needs them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger text instructs the agent to use this skill for ANY BambooHR request and whenever a task involves BambooHR, which is broader than a narrowly scoped read-only skill selector should be. This can cause unintended invocation on vague mentions of BambooHR and route sensitive HR data queries through the skill without sufficient task disambiguation, increasing the chance of privacy-impacting overreach or misuse.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal