Back to skill

Security audit

Email Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only email best-practices skill with ordinary production guidance and a few implementation cautions, not hidden or unsafe behavior.

Reasonable to install as a reference skill. When applying its examples, treat email addresses, webhook payloads, API keys, webhook secrets, IP/location details, and engagement events as sensitive; use stable idempotency keys for retries, verify webhooks, minimize stored data, restrict access, and define retention/deletion windows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The retry example calls `resend.emails.send(emailData)` repeatedly without showing how to preserve and resend the same idempotency key across attempts. In an email-sending reliability guide, this omission is dangerous because implementers may copy the example directly, causing duplicate transactional emails when timeouts or partial failures occur.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance encourages storing raw webhook event data and links to webhook ingestion/storage resources, but it omits any warning about minimization, retention limits, access controls, or the privacy implications of storing engagement and recipient data. In an email system, webhook payloads can include personal data and behavioral telemetry, so developers may retain sensitive event histories indefinitely or log them broadly, increasing privacy, compliance, and breach exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.