Back to skill

Security audit

Email Marketing Tool

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed email-marketing API skill whose sensitive capabilities are expected for its purpose, but users should apply consent and privacy controls before sending campaigns.

Install only if you intend to let the agent access your email marketing account. Before any import, segmentation, tracking review, send, or schedule action, verify recipient consent, suppression/unsubscribe handling, target list, subject, content, and applicable anti-spam/privacy obligations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly enables bulk email sending, recipient list management, tracking, segmentation, and unsubscribe handling, but provides no guardrails around consent, lawful basis, tracking disclosure, or protection of recipient/customer data. In this context, the omission is security- and privacy-relevant because it can facilitate unauthorized marketing campaigns, privacy violations, and misuse of customer contact data at scale.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.