Back to skill

Security audit

Paymo

Security checks across malware telemetry and agentic risk

Overview

This Paymo skill is a coherent OOMOL connector wrapper with disclosed read, write, and delete abilities and explicit confirmation guidance for state-changing actions.

Install this only if you trust OOMOL to broker Paymo access and are comfortable connecting your Paymo API key there. For create, update, or delete requests, review the exact object, payload, and effect before approving; install the oo CLI only from the documented official source if it is not already present.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description says to use this skill for ANY Paymo request and instead of calling the API directly, which is an overly broad trigger that can cause the agent to route all Paymo-related tasks through this skill without considering whether a narrower or safer path is more appropriate. In a skill that supports read, write, and destructive actions, this broad invocation scope increases the chance of unintended use and raises the risk of accidental state-changing or deletion operations being initiated from loosely matched requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.