notify-hub

Security checks across malware telemetry and agentic risk

Overview

This notification skill is mostly purpose-aligned, but its email-routing script can execute unsafe shell commands from attacker-controlled email subject text.

Do not enable the scheduled polling until the scripts are changed to use execFileSync or spawn with argument arrays, remove the unpinned npx fallback, and store digest logs in a private user directory with clear retention. If you test it, use --dry-run first and a dedicated low-privilege notify mailbox.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The router persists metadata for every non-urgent email into a JSONL file under the system temp directory, creating local retention of potentially sensitive sender, subject, and timestamp data beyond the stated digest behavior. Because this skill aggregates notifications from services like GitHub, Stripe, and Linear, subjects and senders may disclose incident details, payment events, repository names, or other operationally sensitive information, and temp-directory storage may be accessible to other local users or processes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal