Back to skill

Security audit

Pendo

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Pendo read-only connector helper with no evidence of hidden code, destructive behavior, or credential theft.

Install this only if you want the agent to query Pendo through your OOMOL-connected account. Pendo data may be sensitive, so use it in workspaces where read access to pages, features, and integration status is appropriate, and review carefully if future versions add write-capable actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description says to use this skill for ANY Pendo request and instead of calling the API directly, which is an overly broad trigger that can cause the agent to route all Pendo-related tasks through this skill without clear task boundaries. While the listed actions are currently read-oriented, the trigger scope is wider than the actual capability set and could lead to inappropriate invocation, future unsafe expansion, or bypass of more context-appropriate controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.