Pipeworx bamboohr
v1.0.0Access and manage BambooHR employee data, including directory, individual profiles, time-off requests, and employee files via API.
⭐ 0· 15·0 current·0 all-time
byBruce Gutman@b-gutman
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to access and manage BambooHR employee data. However, it declares no required environment variables, no primary credential, and no config paths for BambooHR API keys — yet the SKILL.md contains an mcpServers entry pointing to https://gateway.pipeworx.io/bamboohr/mcp. Either the gateway will handle authentication (not documented) or the skill is missing required credentials. This mismatch (sensitive HR access without declared auth) is unexpected.
Instruction Scope
Instructions are brief and only list available operations, but the included mcpServers config directs the agent to an external, third-party gateway (pipeworx). The SKILL.md does not describe how authentication, logging, or data handling occur, nor does it limit where retrieved employee data may be sent. Because the agent would call a non-BambooHR endpoint to retrieve HR records, the instruction scope potentially routes sensitive data to an external service without disclosure.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer, which is the lowest-risk install mechanism.
Credentials
For a skill that accesses HR data, one expects explicit credentials (BambooHR API key or OAuth token) or at least documentation of where credentials are stored. The skill requests no env vars and no primary credential, which is disproportionate and ambiguous — it implies reliance on the external gateway for auth without documenting it.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal, but combined with the other concerns increases potential impact if the gateway is untrusted.
What to consider before installing
This skill wants to read and manage sensitive HR records but does not declare how it authenticates and points the agent at an external gateway (gateway.pipeworx.io). Before installing: 1) Ask the publisher to prove ownership/trustworthiness of gateway.pipeworx.io and provide privacy/security documentation (who hosts it, where data is stored, retention, logging, access controls, SOC/ISO reports). 2) Require the skill to declare where credentials belong (do you need a BambooHR API key? will credentials be stored on the gateway?), and prefer a version that calls api.bamboohr.com directly or documents a vetted connector. 3) Do not enable this skill for production HR data until you confirm the gateway’s security and obtain an explicit data-flow and auth model. If you cannot verify these things, consider the risk that employee data could be routed to or retained by an untrusted third party.Like a lobster shell, security has layers — review code before you run it.
latest
Bamboohr
BambooHR MCP Pack — wraps the BambooHR API v1
bamboohr_list_employees
List all employees with directory info. Returns IDs, names, departments, job titles, and contact det
bamboohr_get_employee
Get detailed employee info by ID (e.g., "12345"). Specify fields like firstName, lastName, email, de
bamboohr_get_directory
Get complete employee directory with names, titles, departments, contact info, and manager assignmen
bamboohr_list_timeoff
Search time-off requests by date range (e.g., "2024-01-01" to "2024-12-31"). Returns approved/pendin
bamboohr_get_employee_files
Get files in an employee's profile by ID. Returns file names, upload dates, and file types.
{
"mcpServers": {
"bamboohr": {
"url": "https://gateway.pipeworx.io/bamboohr/mcp"
}
}
}
Comments
Loading comments...