Back to skill

Security audit

PartnerStack Partner

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only PartnerStack connector skill that uses OOMOL's oo CLI to retrieve account data, with no hidden writes or persistence found.

Install this only if you want agents to read data from your connected PartnerStack Partner account, including payouts and rewards. Review the OOMOL CLI install source and account connection before first use, and keep requests specific so the skill is invoked only for PartnerStack Partner data retrieval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description says to use this skill for "ANY PartnerStack Partner request" and "instead of calling the API directly," which is an overly broad trigger for invocation. Broad routing language can cause the agent to select this skill in cases where a narrower, safer, or more appropriate path should be used, increasing the chance of unnecessary connector access and overreach beyond the user’s precise intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.