Back to skill

Security audit

Namely

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only Namely connector that can access employee profile data through OOMOL, with no evidence of hidden, destructive, or exfiltrating behavior.

Install only if you are comfortable letting the agent read Namely employee profile information visible to your connected account. Keep the connected Namely account scoped to the minimum access needed, and review any setup steps that install or authenticate the oo CLI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description directs the agent to use this skill for any Namely-related request, which is an overly broad routing instruction. While not directly exploitable on its own, it can cause the agent to over-delegate tasks and bypass more context-appropriate handling, increasing the chance of unnecessary access to sensitive HR data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.