Skills
skills/davepoon/buildwithclaude/bamboohr-automation/Gen Agent Trust Hub

bamboohr-automation

Pass

Audited by Gen Agent Trust Hub on Feb 20, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSNO_CODE
Full Analysis
  • [Indirect Prompt Injection] (LOW): The skill demonstrates a vulnerability surface for indirect prompt injection by processing external data with high-privilege tool access. 1. Ingestion points: Employee directory and profile data from BAMBOOHR_GET_ALL_EMPLOYEES and BAMBOOHR_GET_EMPLOYEE (SKILL.md). 2. Boundary markers: Absent; there are no instructions to delimit or ignore instructions within the retrieved data. 3. Capability inventory: Critical write operations including BAMBOOHR_UPDATE_EMPLOYEE and BAMBOOHR_CREATE_TIME_OFF_REQUEST (SKILL.md). 4. Sanitization: Absent; no validation or filtering of external content is defined.
  • [External Downloads] (LOW): The skill utilizes an external MCP server endpoint (https://rube.app/mcp) which is not included in the trusted source whitelist.
  • [No Code] (SAFE): The skill consists exclusively of markdown documentation and tool-use instructions without any bundled scripts or executables.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 20, 2026, 08:18 AM