Back to skill

Security audit

Recharge

Security checks across malware telemetry and agentic risk

Overview

This Recharge skill is mostly coherent, but its setup instructions ask users to run remote installer scripts directly and its scope is broad for a connector that can access business/customer data.

Install only if you trust OOMOL and are comfortable granting its connector access to Recharge data. Prefer a verified or manual oo CLI installation path instead of blindly running the one-line installer commands, and treat Recharge customer, order, charge, and subscription data as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill mislabels read-only retrieval actions like `get_charge` and `get_order` as `[write]`, which creates inaccurate operator guidance about what actions are state-changing. While this does not directly enable code execution or data modification, incorrect safety metadata can cause users or downstream agents to make poor approval decisions and undermines trust in the skill's control model.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description says to use this skill for ANY Recharge request and instead of calling the API directly, making invocation scope overly broad. This can cause an agent to route loosely related prompts into a connector-backed skill unnecessarily, increasing the chance of unintended data access or actions in a production SaaS environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The first-time setup instructs users to execute `curl -fsSL ... | bash`, which pipes remote content directly into a shell without verification, pinning, or integrity checks. If the install endpoint, transport, or hosting supply chain is compromised, arbitrary code would run on the user's machine.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Windows setup step uses `irm ... | iex`, which executes remote PowerShell content directly in memory without review or integrity validation. This creates the same supply-chain and remote code execution risk as pipe-to-shell installation patterns, with potentially full user-context compromise on Windows systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.