Email Engine

Security checks across malware telemetry and agentic risk

Overview

This email automation skill is coherent, but it enables autonomous bulk emailing, tracking, and AI processing of email contents without enough documented privacy, consent, or approval controls.

Review before installing. Use it only where you can enforce your own controls for sender authorization, campaign approval, lawful recipient contact, unsubscribe and suppression lists, tracking disclosure, and data minimization. Avoid sending confidential, regulated, or unnecessary email content to the external gateway unless the provider's privacy and retention practices are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documentation describes email sending, open/click tracking, and AI classification/reply features without warning that recipient engagement data and email contents may be transmitted to external services. Because this skill is explicitly designed for autonomous workflows handling human communications, operators may unknowingly process personal or confidential data without consent, notice, or policy review.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal