Security audit

Email Address Validation Single

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AgentPMT email-validation wrapper, with the main caution that broad trigger words could cause unintended use if an agent routes too aggressively.

Install only if you are comfortable sending email addresses to AgentPMT for validation and spending account credits per check. Configure agents to use it only when the user clearly asks to validate an email address or an established workflow requires that validation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill advertises activation keywords such as "verify" and "email," which are generic enough to overlap with ordinary user requests and increase the chance of unintended tool selection. In an agent setting, this can cause silent routing of user-provided email addresses to a remote third-party service, creating unnecessary data disclosure and billing risk.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest description contains broad usage language covering many common workflows like signups, campaigns, and fake account prevention without clear boundaries for when the skill should or should not activate. That broad framing makes accidental invocation more likely, especially because the tool performs external validation against remote infrastructure using user-supplied email addresses.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal