PixelLetter

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a clearly disclosed PixelLetter integration that can send real mail or faxes, with safeguards before production dispatch.

Install only if you intend to let an agent prepare PixelLetter mail or fax workflows. Use dry-run or test mode first, keep PIXELLETTER_EMAIL and PIXELLETTER_PASSWORD in environment variables or a secret manager, and only enable real sends after checking the recipient, document, options, and expected cost.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: This markdown file describes posting XML to a remote HTTPS endpoint and includes authentication fields for email and password, as well as uploaded files. Under SQP-2 for markdown files, documentation should warn users when behavior could affect privacy or transmit user data, but the file provides interface details without any explicit caution about sending credentials, message contents, or attachments to a third-party service.

Static analysis

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal