Back to skill

Security audit

Tremendous

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tremendous connector that can read and create reward-related data, with explicit confirmation required before write actions.

Install only if you intend to let an agent use your OOMOL-connected Tremendous account. Treat reward orders and redemption links as sensitive financial actions, review payloads carefully, and require explicit approval before creating orders or links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to use this skill for ANY Tremendous request is overly broad and can cause the agent to invoke a powerful connector by default, including for sensitive or state-changing tasks. In this context, the skill supports both read and write operations, so broad routing increases the chance of unintended use, privilege overreach, or acting through the connector when a narrower or safer path would be more appropriate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.