Back to skill

Security audit

Booqable

Security checks across malware telemetry and agentic risk

Overview

This Booqable skill is a disclosed connector wrapper with scoped tool access, though users should be careful with setup commands and any account-changing action.

Before installing, review the oo CLI installer source or use an official pinned install method if available. Once installed, only approve Booqable actions you explicitly requested, and treat any action tagged `[write]` or `[destructive]` as requiring confirmation of the exact payload and expected account impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger text says to use this skill for ANY Booqable request and instead of calling the API directly, which can cause over-invocation without sufficient task scoping. In an agent environment, broad routing increases the chance that sensitive or unintended Booqable operations are attempted in contexts where a narrower skill or additional confirmation logic should apply.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.