Back to skill

Security audit

ChartMogul

Security checks across malware telemetry and agentic risk

Overview

This ChartMogul skill is a disclosed, read-only OOMOL connector wrapper, but users should remember it can access customer and account data through their connected ChartMogul account.

Install this only if you are comfortable letting OOMOL's connector read ChartMogul account, customer, contact, and source data for user-requested tasks. Prefer specific lookups or filtered lists, review any first-time oo CLI install/auth step, and require explicit confirmation before any future connector action that writes or deletes data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction to use this skill for ANY ChartMogul request and instead of calling the API directly is overly broad and can cause automatic routing of all ChartMogul-related tasks through this skill without first evaluating whether the request is appropriate, least-privileged, or even necessary. In a security context, broad trigger conditions increase the chance of unintended execution, over-collection of tenant data, and bypass of safer task-specific handling or user confirmation flows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.