Back to skill

Security audit

mailprocess

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for the Mali low-code platform, but it can automatically control Chrome and submit user text through a logged-in session without a clear confirmation step.

Install only if you trust this internal Mali workflow and are comfortable letting it control Chrome under your logged-in account. Avoid including secrets or sensitive business data in prompts, prefer explicit invocations such as using the Mali builder by name, and consider adding a manual confirmation or draft-only mode before the script clicks send.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill performs shell execution, opens external URLs, and automates browser interaction, but it does not declare any corresponding permissions or capability boundaries. This creates a transparency and governance gap: a caller or platform may treat the skill as low-risk while it can actually launch processes and transmit user content to an external service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented trigger keywords include generic phrases such as '创建应用' and '管理系统' that can overlap with ordinary user requests, increasing the chance the skill auto-runs when the user did not intend browser automation. In this skill's context, unintended activation is more dangerous because execution opens Chrome, navigates to an internal low-code platform, fills user-provided content, and may submit it, creating a real risk of unwanted actions and unintended disclosure of sensitive requirements.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README advertises automatic browser launch, navigation to an internal site, form filling, and clicking send, but does not clearly warn that user input will be transmitted to a web application and may trigger remote actions. In this skill's context, that omission is especially risky because users may include internal business details, and the automation targets a live internal platform where a single invocation can disclose data or create unwanted resources.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match ordinary requests like building an app, dashboard, or form system, which can cause the skill to activate without the user intentionally choosing this external automation path. In context, that matters because activation leads to opening a browser and potentially submitting sensitive requirements to an internal platform automatically.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation rule allows invocation whenever a request seems suitable for low-code implementation, which is subjective and overly permissive. Because the skill then automates browser control and submission, this ambiguity can route user data to the external platform without clear, informed user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill is designed to automatically open Chrome, fill in the user's requirement, and click send, yet it does not require a warning or confirmation before transmitting content. This is dangerous because user requirements may contain confidential business logic, internal data, or sensitive project details that get sent to a third-party or internal web system without explicit consent at execution time.

Missing User Warnings

High
Confidence
99% confidence
Finding
The operational workflow explicitly automates submission to a web platform and even monitors execution state, but it omits any checkpoint for user review or consent before the request is transmitted. In this context, the skill is more dangerous because it targets a logged-in browser session, so automation may act with the user's existing authenticated privileges.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically injects user-supplied text into a web application and clicks submit without any confirmation step, causing immediate external transmission of whatever was provided on the command line. In the skill context, this is more dangerous because users may include sensitive internal requirements, tokens, credentials, or proprietary business details that get sent to a low-code platform unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The macOS flow uses AppleScript to open Chrome, inject the user's requirement into the page, and automatically click a submit button, causing data to be sent to a remote web application without an explicit confirmation step. This is risky because user-provided requirements may contain sensitive internal information, and the broad button-selection logic could also submit to an unintended control if the page structure changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.