React Email Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent React Email development guide; its email-sending and API-key examples are expected for the stated purpose but should be used deliberately.

Install this if you want React Email development help. Before using the sending examples, confirm recipients and content, use scoped provider API keys, keep secrets in environment variables or a secret manager, review your email provider's data handling and compliance requirements, and consider pinning package versions for production environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill’s activation description is very broad and can match many ordinary email-related requests, increasing the chance the agent invokes this skill in situations where email generation, rendering, or sending is only tangentially relevant. Over-broad activation can cause unnecessary tool exposure, privacy-impacting suggestions, or unintended steering toward third-party email workflows.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The sending examples show direct use of a third-party provider without warning that recipient addresses, message contents, and related metadata will be transmitted to an external service. In an agent context, this can lead users to unknowingly route potentially sensitive data through Resend or another provider without informed consent or compliance review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal