Back to skill

Security audit

Braze

Security checks across malware telemetry and agentic risk

Overview

This Braze skill is a disclosed read-oriented connector wrapper, with some broad wording and setup steps users should understand before use.

Install this if you want agents to read Braze campaign and Canvas information through OOMOL. Review the OOMOL account connection and CLI installer before use, and treat any future or unlisted write/destructive Braze action as requiring explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description says to use this skill for ANY Braze request and instead of calling the API directly, which creates an overly broad routing rule without clear scope boundaries. That can cause an agent to invoke this skill for unrelated, higher-risk, or unsupported Braze tasks by default, reducing opportunity for per-task security checks and increasing the chance of unsafe command execution paths such as setup/install guidance or future write actions being used too broadly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.