Bamboohr Automation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change HR records or time-off request statuses if operating under a privileged BambooHR account.
The skill documents tools that can change BambooHR records and time-off decisions. Those actions are purpose-aligned, but the visible workflow does not require an explicit final confirmation, preview, or rollback step before mutation.
`BAMBOOHR_UPDATE_TIME_OFF_REQUEST` - Modify or approve/deny a request [Optional] ... `BAMBOOHR_UPDATE_EMPLOYEE` - Update employee fields [Required]
Before allowing write actions, require the agent to show the exact employee, fields, old values, new values, and request ID, then ask for explicit confirmation. Prefer a least-privilege BambooHR account and audit all changes.
The skill's effective power depends on the connected BambooHR account, which may expose or modify employee data beyond what a casual user expects.
The skill requires a delegated BambooHR connection and may use manager/admin permissions for some operations. This is expected for BambooHR automation, but it is sensitive authority.
Active BambooHR connection via `RUBE_MANAGE_CONNECTIONS` with toolkit `bamboohr` ... Request status updates require appropriate permissions (manager/admin)
Connect only a BambooHR account with the minimum required permissions, and avoid using an all-powerful admin connection unless the task truly requires it.
Sensitive BambooHR data and account actions may pass through the Rube/Composio integration rather than only between the agent and BambooHR.
BambooHR requests and results are routed through an external MCP/provider integration. That is disclosed and central to the skill, but it creates a third-party trust and data-boundary consideration for HR data.
Add `https://rube.app/mcp` as an MCP server ... through Composio's BambooHR toolkit via Rube MCP
Verify the Rube/Composio trust model, data handling, and workspace authorization before connecting BambooHR, especially for dependents, benefits, or employee profile data.