Back to skill

Security audit

JazzHR

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, read-only JazzHR connector skill that uses OOMOL’s oo CLI to access a user-connected JazzHR account.

Install this only if you want your agent to read JazzHR applicants, jobs, and users through your OOMOL-connected account. Be mindful that HR data can be sensitive, and review prompts/results before sharing applicant or user information outside your organization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is unusually broad: it directs use of this skill for ANY JazzHR request and whenever a task involves JazzHR. In an agentic environment, that can cause the skill to be invoked for loosely related prompts, increasing the chance of unintended tool execution, over-collection of HR data, or bypassing more narrowly scoped handling logic.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.