Security audit

Ai Intelligent Attendance Management

Security checks across malware telemetry and agentic risk

Overview

This appears to be a simple attendance-management skill description, with caution needed before running its unreviewed external GitHub app or handling employee data.

Before installing, inspect the linked GitHub repository and Python dependencies because they were not included in this review. Use the skill only with proper HR authorization, access controls, audit logging, retention limits, and care around attendance, leave, and payroll-related employee data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest description is inconsistent with the stated purpose of the skill, which is attendance management for clock-ins, leave, and statistics. A mismatched description can cause users or orchestration systems to misunderstand when the skill should be invoked, increasing the chance of overbroad activation or misuse in unrelated contexts.

Vague Triggers

Low

Confidence: 89% confidence
Finding: The description 'AI intelligent ai-intelligent-attendance-management' is too vague and generic to establish a narrow operational scope. Overly broad metadata can lead to ambiguous routing, accidental invocation, or user confusion about the skill's intended capabilities, which is especially undesirable for HR-related workflows involving employee data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.