bamboohr-core-workflow-b
Facilitates BambooHR workflows for managing time off requests, PTO balances, and employee files efficiently.
Install this skill
Security score
The bamboohr-core-workflow-b skill was audited on May 19, 2026 and we found 19 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 52 | console.log(`${req.employeeId}: ${req.start} to ${req.end} (${req.type.name})`); |
Template literal with variable interpolation in command context
| 53 | console.log(` Status: ${req.status.status} | ${req.amount.amount} ${req.amount.unit}`); |
Template literal with variable interpolation in command context
| 82 | await fetch(`${BASE}/employees/123/time_off/request`, { |
Template literal with variable interpolation in command context
| 107 | await fetch(`${BASE}/time_off/requests/100/status`, { |
Template literal with variable interpolation in command context
| 129 | console.log(`${b.name}: ${b.balance} days remaining (accruing ${b.accrualRate}/period)`); |
Template literal with variable interpolation in command context
| 142 | console.log(`Type ${id}: ${(type as any).name}`); |
Template literal with variable interpolation in command context
| 148 | console.log(`Policy: ${policy.name} (${policy.type})`); |
Template literal with variable interpolation in command context
| 161 | console.log(`Category: ${category.name}`); |
Template literal with variable interpolation in command context
| 163 | console.log(` ${file.name} (${file.originalFileName}) — ${file.createdDate}`); |
Template literal with variable interpolation in command context
| 169 | const fileRes = await fetch(`${BASE}/employees/123/files/42/`, { |
Template literal with variable interpolation in command context
| 180 | await fetch(`${BASE}/employees/123/files`, { |
Template literal with variable interpolation in command context
| 191 | const photoRes = await fetch(`${BASE}/employees/123/photo/small`, { |
Template literal with variable interpolation in command context
| 199 | await fetch(`${BASE}/employees/123/photo`, { |
Template literal with variable interpolation in command context
| 215 | console.log(`${goal.title} — ${goal.percentComplete}% (${goal.status})`); |
Template literal with variable interpolation in command context
| 224 | console.log(`${record.type}: completed ${record.completedDate}`); |
External URL reference
| 254 | - [BambooHR Time Off API](https://documentation.bamboohr.com/reference/time-off) |
External URL reference
| 255 | - [BambooHR Time Off Policies](https://documentation.bamboohr.com/reference/get-time-off-policies) |
External URL reference
| 256 | - [BambooHR Photos API](https://documentation.bamboohr.com/reference/photos) |
External URL reference
| 257 | - [BambooHR Goals API](https://documentation.bamboohr.com/reference/list-goals) |