Back to skill

Security audit

Freshsales

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Freshsales connector helper that can read, create, update, and delete contacts through the OOMOL CLI, with explicit confirmation required for state-changing actions.

Install only if you want Codex to operate your Freshsales contacts through OOMOL. Review write and delete requests carefully, confirm exact targets and payloads before approval, and ensure you trust the oo CLI/OOMOL account connection used by the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill explicitly claims it should be used for ANY Freshsales request, including reads, writes, and deletes, without tighter task boundaries or routing constraints. That broad trigger scope can cause the agent to invoke this skill for a wide range of CRM-related tasks unnecessarily, increasing the chance of unintended data modification or destructive operations being selected in contexts where a narrower skill or additional validation would be safer.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.