Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx bamboohr

v1.0.0

Access and manage BambooHR employee data, including directory, individual profiles, time-off requests, and employee files via API.

0· 15·0 current·0 all-time
byBruce Gutman@b-gutman
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to access and manage BambooHR employee data. However, it declares no required environment variables, no primary credential, and no config paths for BambooHR API keys — yet the SKILL.md contains an mcpServers entry pointing to https://gateway.pipeworx.io/bamboohr/mcp. Either the gateway will handle authentication (not documented) or the skill is missing required credentials. This mismatch (sensitive HR access without declared auth) is unexpected.
!
Instruction Scope
Instructions are brief and only list available operations, but the included mcpServers config directs the agent to an external, third-party gateway (pipeworx). The SKILL.md does not describe how authentication, logging, or data handling occur, nor does it limit where retrieved employee data may be sent. Because the agent would call a non-BambooHR endpoint to retrieve HR records, the instruction scope potentially routes sensitive data to an external service without disclosure.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer, which is the lowest-risk install mechanism.
!
Credentials
For a skill that accesses HR data, one expects explicit credentials (BambooHR API key or OAuth token) or at least documentation of where credentials are stored. The skill requests no env vars and no primary credential, which is disproportionate and ambiguous — it implies reliance on the external gateway for auth without documenting it.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal, but combined with the other concerns increases potential impact if the gateway is untrusted.
What to consider before installing
This skill wants to read and manage sensitive HR records but does not declare how it authenticates and points the agent at an external gateway (gateway.pipeworx.io). Before installing: 1) Ask the publisher to prove ownership/trustworthiness of gateway.pipeworx.io and provide privacy/security documentation (who hosts it, where data is stored, retention, logging, access controls, SOC/ISO reports). 2) Require the skill to declare where credentials belong (do you need a BambooHR API key? will credentials be stored on the gateway?), and prefer a version that calls api.bamboohr.com directly or documents a vetted connector. 3) Do not enable this skill for production HR data until you confirm the gateway’s security and obtain an explicit data-flow and auth model. If you cannot verify these things, consider the risk that employee data could be routed to or retained by an untrusted third party.

Like a lobster shell, security has layers — review code before you run it.

latestvk97be3v1jzv42n70sfc3f4jnbh85bmw8
15downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0

Bamboohr

BambooHR MCP Pack — wraps the BambooHR API v1

bamboohr_list_employees

List all employees with directory info. Returns IDs, names, departments, job titles, and contact det

bamboohr_get_employee

Get detailed employee info by ID (e.g., "12345"). Specify fields like firstName, lastName, email, de

bamboohr_get_directory

Get complete employee directory with names, titles, departments, contact info, and manager assignmen

bamboohr_list_timeoff

Search time-off requests by date range (e.g., "2024-01-01" to "2024-12-31"). Returns approved/pendin

bamboohr_get_employee_files

Get files in an employee's profile by ID. Returns file names, upload dates, and file types.

{
  "mcpServers": {
    "bamboohr": {
      "url": "https://gateway.pipeworx.io/bamboohr/mcp"
    }
  }
}

Comments

Loading comments...