Back to skill

Security audit

Smartsheet

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Smartsheet connector wrapper with read, write, and delete abilities that are scoped to Smartsheet and include confirmation requirements for changes.

Install this only if you are comfortable letting the agent access Smartsheet data available to your connected OOMOL account. Review any proposed add, update, or delete payload carefully before approving it, and use the first-time install or login steps only when you actually need to set up the oo CLI or Smartsheet connection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger text says to use this skill for ANY Smartsheet request and instead of calling the API directly, which is overly broad and can cause the agent to invoke the skill for vague or incidental Smartsheet mentions. In a skill that supports read, write, and destructive actions, broad routing increases the chance of unintended data access or mutation without sufficiently narrowing user intent first.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.