Security audit

Lme Auto Messenger

Security checks across malware telemetry and agentic risk

Overview

The skill appears to automate customer outreach using spreadsheet data, which is sensitive but coherent with its stated purpose and not evidence of malware or deception.

Install only if you are authorized to process the customer spreadsheet and contact those people. Minimize exported fields, avoid sensitive or regulated customer notes unless necessary, review each generated message before sending, and understand what Browser Relay or browser automation can see in your local session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill automates extracting customer data from a spreadsheet and sending personalized messages through Browser Relay/LME, but it does not clearly warn about the privacy implications of moving personal data across multiple systems and browser automation tooling. Because the data includes names, email addresses, message history, and inferred interests, users may expose regulated or sensitive customer information without understanding the transmission, retention, and consent risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.