Back to skill

Security audit

Precoro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Precoro connector helper that uses the OOMOL CLI for mostly read-only procurement lookups, with no evidence of hidden exfiltration or destructive behavior.

Install only if you intend to let an agent access Precoro through your OOMOL account. Review any requested payload before running actions, especially if future connector schemas expose create, update, or delete operations, and only run the oo CLI installer from a source you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
`get_purchase_order` is described as a read operation ('Get one Precoro purchase order') but is tagged `[write]`, creating contradictory safety semantics. This can mislead an agent or user about whether confirmation is required, weakening trust in the action classification system and increasing the chance of unsafe execution decisions in future edits or adjacent skills.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The instruction to use this skill for 'ANY Precoro request' is overly broad and lacks scope limits, exclusions, or policy boundaries. In a skill that can access enterprise procurement data and may include state-changing operations, this broad routing increases the risk that sensitive or high-impact requests are funneled through the skill without sufficient contextual checks.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The safety section discusses `[write]` and `[destructive]` tags as user-facing safeguards, but the action list contains no destructive operations and mislabels a read action as `[write]`. This inconsistency undermines the reliability of the documented safety model, making operators less able to trust which actions need confirmation and increasing the chance of procedural mistakes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.