Back to skill

Security audit

Checkly

Security checks across malware telemetry and agentic risk

Overview

This skill provides a disclosed Checkly connector workflow focused on reading Checkly data through OOMOL, with no artifact-backed malicious behavior found.

Before installing, confirm you trust OOMOL as the connector provider and are comfortable connecting your Checkly account through OOMOL. Use the skill for reading Checkly checks, results, statuses, and account details; require explicit approval before any future version or live connector schema exposes write or destructive actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest says the skill should be used for 'searching and reading data,' but the body explicitly contemplates state-changing '[write]' and '[destructive]' actions. That mismatch can cause an orchestrating agent or user to treat the skill as read-only and invoke it in situations where mutation should have required stronger confirmation or a different trust boundary.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger text says to use this skill for 'ANY Checkly request' and 'Whenever a task involves Checkly,' which is broader than the described read-focused purpose and can cause over-invocation. In agentic systems, such broad routing language may bypass more appropriate tooling or cause this skill to be selected for sensitive tasks merely because Checkly is mentioned.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.