Back to skill

Security audit

Nimrobo

Security checks across malware telemetry and agentic risk

Overview

Nimrobo looks like a legitimate CLI documentation skill, but it gives an agent broad account, hiring, messaging, and organization-control powers without enough scoping or safety guidance.

Install only if you trust the Nimrobo service and the npm package you are installing. Protect the API key file, verify saved context before writes, and require explicit user confirmation before onboarding, exporting transcripts or audio, sending messages, accepting or rejecting applications, changing roles, removing members, deleting posts or organizations, or running any batch operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest says the skill is for 'voice screening and matching network operations,' but the documented CLI exposes much broader capabilities including user/profile management, organization administration, invites, role changes, messaging, and deletion actions. This scope understatement can cause an agent or reviewer to authorize or invoke higher-risk operations than expected, undermining informed consent and least-privilege review.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented command set materially exceeds the declared skill purpose of voice screening and matching by exposing broad profile, organization, posting, application, and messaging operations. This scope mismatch can mislead users or higher-level agents into granting trust or permissions under false assumptions, enabling unintended account, org, and communication actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Organization creation, update, deletion, membership changes, and join/invite flows are administrative capabilities unrelated to the stated voice-screening purpose. In an agent setting, this unnecessary breadth increases the chance of over-privileged use and accidental or unauthorized tenant-level changes.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Member administration and invite management allow changing roles, removing users, and controlling access to organizations, which goes well beyond voice screening and matching. Such capabilities are sensitive because misuse can alter authorization boundaries and disrupt organization operations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
General messaging operations permit reading, sending, and bulk state changes on channels, which are outside the stated purpose and may expose sensitive communications. In an agentic environment, users may not expect a 'voice screening and matching' skill to access or modify message state across channels.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata says it is for 'voice screening and matching network operations,' but the workflow substantially expands into job posting, applicant processing, messaging, organization administration, and role management. This capability mismatch can mislead users and reviewers about the true privilege scope of the skill, increasing the chance that powerful recruiting and admin actions are invoked without informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The organization management workflow includes sensitive administrative actions such as inviting admins, approving join requests, changing roles, and removing members, which go beyond the stated purpose of voice screening. When high-privilege org administration is embedded in a skill whose purpose does not clearly justify it, users may authorize or run it without understanding it can alter organizational control and access.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The onboarding instruction uses a natural-language trigger ('run only if the user says to onboard') that is broad and potentially ambiguous, which can cause the agent to invoke a state-changing command based on loosely matched user phrasing. Because `nimrobo onboard` appears to initiate profile and organization setup and then follow CLI-driven prompts, unintended activation could lead to creation or modification of user/account data without sufficiently explicit confirmation.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill handles voice interviews, screening, applications, messaging, and transcripts, all of which can involve sensitive personal and employment-related data. The overview introduces these capabilities without warning the operator to minimize collection, avoid exposing transcripts or applicant data, and obtain consent before processing or sharing sensitive information, increasing the risk of privacy and data-handling misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The command reference includes destructive and state-changing operations such as delete, remove-member, close, reject, accept, withdraw, cancel, and role updates without any warning, confirmation guidance, or safety notes. In an agent setting, this increases the chance of accidental high-impact actions being executed from ambiguous prompts or misunderstood context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs users to store a live API key in a predictable plaintext file under the home directory and provides no warning about protecting file permissions, avoiding source control inclusion, or using safer secret storage. This increases the likelihood of credential exposure through local compromise, backups, logs, screenshots, or accidental sharing, especially because the CLI supports sensitive voice-screening and network operations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes organization deletion without an explicit warning about irreversibility or operational impact. In agent-assisted use, a destructive command presented without strong caution or confirmation guidance increases the likelihood of accidental deletion of shared resources.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Post deletion is documented as a normal command without clearly warning about permanent data loss or downstream effects on applications and workflows. This can lead users or agents to invoke a destructive action without understanding the consequences.

Missing User Warnings

Low
Confidence
76% confidence
Finding
Fetching a message automatically marks it as read, but this state-changing side effect is easy to miss because the operation is framed as a read action. Hidden side effects are risky in agent workflows because they can alter audit trails, unread counts, or user expectations without deliberate intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation recommends supplying an API key via standard input using `echo`, which commonly results in the secret appearing in shell history, process logs, CI logs, or copied command transcripts. Because this skill is for network/voice screening operations, exposed credentials could grant access to projects, transcripts, audio, and evaluation data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The transcript, audio, evaluation, and summary commands expose highly sensitive interview content, but the documentation provides no privacy, retention, authorization, or handling warnings. In this skill context, the data likely contains PII, candidate assessments, and recorded conversations, increasing the risk of inappropriate sharing, insecure storage, or noncompliant use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow retrieves interview evaluations and transcripts, which are likely to contain sensitive personal, employment, and possibly biometric/voice-derived data, but provides no privacy warning or handling guidance. In a recruiting context, silent retrieval of this information can lead to overcollection, unsafe storage, or disclosure of candidate data through local files and terminal history.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The job workflow shows applicant acceptance, candidate messaging, and post closure as routine commands without warning that these actions may be difficult to reverse and can materially affect applicants. In hiring workflows, users may execute commands quickly or by copy-paste, so omission of impact warnings raises the risk of accidental decisions or premature closure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The organization management section documents role updates and member removal without warning that these are destructive access-control changes. In a multi-user organization context, mistaken execution can revoke access, elevate privileges, or disrupt operations, making the absence of caution materially dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The batch applicant processing workflow enables accepting or rejecting multiple applicants at once without warning about the scale and irreversibility of the action. Bulk operations amplify the consequences of wrong IDs, wrong context, or misuse, potentially affecting many candidates and opening communication channels unintentionally.

VirusTotal

43/43 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.