Notifications Engine

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward paid notification API skill, but users should be careful because email/SMS content and delivery logs go to an external service.

Install only if you trust MCF Agentic and the external gateway with recipient contact details, message contents, delivery history, and x402 payments. Require user approval before allowing an agent to send email or SMS, and avoid sensitive personal data until the provider documents privacy, retention, access controls, and billing behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly supports sending email/SMS and maintaining delivery logs, which inherently involves handling personal contact data and message contents. The documentation does not warn about privacy, consent, retention, or misuse risks, so an integrating agent could send or log sensitive data without adequate safeguards or user awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal