bamboohr-reference-architecture
Provides a structured reference architecture for integrating BambooHR into production HR data pipelines, enhancing employee data management.
Install this skill
Security score
The bamboohr-reference-architecture skill was audited on May 19, 2026 and we found 38 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 190 | result.errors.push(`Employee ${emp.id}: ${(err as Error).message}`); |
Template literal with variable interpolation in command context
| 215 | 'GET', `/employees/changed/?since=${lastSync}`, |
Template literal with variable interpolation in command context
| 265 | orgUnitPath: `/departments/${department}`, |
Template literal with variable interpolation in command context
| 270 | await this.slackClient.addToChannel(workEmail, `#${department.toLowerCase()}`); |
Template literal with variable interpolation in command context
| 274 | text: `Your new report ${firstName} ${lastName} (${jobTitle}) starts soon. ` + |
Template literal with variable interpolation in command context
| 275 | `BambooHR profile: https://${process.env.BAMBOOHR_COMPANY_DOMAIN}.bamboohr.com/employees/employee.php?id=${employeeId}`, |
Template literal with variable interpolation in command context
| 278 | console.log(`Onboarding complete for ${firstName} ${lastName}`); |
Template literal with variable interpolation in command context
| 291 | console.log(`Offboarding complete for ${firstName} ${lastName}`); |
Template literal with variable interpolation in command context
| 298 | await this.googleAdmin.moveUser(workEmail, `/departments/${department}`); |
Template literal with variable interpolation in command context
| 301 | await this.slackClient.addToChannel(workEmail, `#${department.toLowerCase()}`); |
Template literal with variable interpolation in command context
| 316 | console.log(`Full sync: ${result.created} created, ${result.updated} updated, ${result.deleted} deleted`); |
Template literal with variable interpolation in command context
| 323 | console.log(`Incremental sync: ${JSON.stringify(result)}`); |
Webhook reference - potential data exfiltration
| 45 | │ API Layer │ Sync Engine │ Webhook Handler │ |
Webhook reference - potential data exfiltration
| 46 | │ /api/* │ (Cron/Queue) │ /webhooks/bamboohr │ |
Webhook reference - potential data exfiltration
| 83 | │ │ ├── webhook.ts # Webhook signature verification + routing |
Webhook reference - potential data exfiltration
| 100 | │ │ └── webhook.test.ts |
Webhook reference - potential data exfiltration
| 143 | sync_type TEXT NOT NULL, -- 'full', 'incremental', 'webhook' |
Webhook reference - potential data exfiltration
| 231 | async handleWebhookEvent(employeeId: string, action: string, fields: Record<string, string>) { |
Webhook reference - potential data exfiltration
| 319 | // Incremental sync: every 15 minutes (safety net for missed webhooks) |
Webhook reference - potential data exfiltration
| 349 | webhook: { |
Webhook reference - potential data exfiltration
| 374 | webhook: { |
Webhook reference - potential data exfiltration
| 375 | secret: process.env.BAMBOOHR_WEBHOOK_SECRET!, |
Webhook reference - potential data exfiltration
| 376 | path: '/webhooks/bamboohr', |
Webhook reference - potential data exfiltration
| 386 | - Employee sync with full, incremental, and webhook-driven modes |
Webhook reference - potential data exfiltration
| 396 | | Sync data gaps | Missed webhooks + long incremental interval | Full sync as daily safety net | |
Webhook reference - potential data exfiltration
| 397 | | Duplicate processing | Webhook retry + no idempotency | Idempotency keys in sync log | |
Webhook reference - potential data exfiltration
| 398 | | Stale local data | Cache TTL too long | Webhook-based cache invalidation | |
Webhook reference - potential data exfiltration
| 407 | - **Monitoring**: Alert on sync failures, webhook delivery gaps, and API error spikes |
Webhook reference - potential data exfiltration
| 413 | - [BambooHR Webhooks](https://documentation.bamboohr.com/docs/webhooks) |
Access to .env file
| 275 | `BambooHR profile: https://${process.env.BAMBOOHR_COMPANY_DOMAIN}.bamboohr.com/employees/employee.php?id=${employeeId}`, |
Access to .env file
| 359 | companyDomain: process.env.BAMBOOHR_COMPANY_DOMAIN!, |
Access to .env file
| 360 | apiKey: process.env.BAMBOOHR_API_KEY!, |
Access to .env file
| 372 | redisUrl: process.env.REDIS_URL, |
Access to .env file
| 375 | secret: process.env.BAMBOOHR_WEBHOOK_SECRET!, |
External URL reference
| 275 | `BambooHR profile: https://${process.env.BAMBOOHR_COMPANY_DOMAIN}.bamboohr.com/employees/employee.php?id=${employeeId}`, |
External URL reference
| 411 | - [BambooHR API Documentation](https://documentation.bamboohr.com/docs) |
External URL reference
| 412 | - [BambooHR API Reference](https://documentation.bamboohr.com/reference) |
External URL reference
| 413 | - [BambooHR Webhooks](https://documentation.bamboohr.com/docs/webhooks) |