Email Automation

Security checks across malware telemetry and agentic risk

Overview

This email automation skill is not clearly malicious, but it needs review because it can use real marketing-platform credentials and affect subscriber or campaign data while its scope and safeguards are under-specified.

Install only if you intend to connect a real ConvertKit account, and treat it as ConvertKit-only unless reviewed Mailchimp support is added. Use a test account or test audience first, verify every recipient, sequence ID, and subscriber action before running commands, avoid exposing API secrets or license keys in shell history/logs, and make sure every contact enrollment has valid consent and unsubscribe handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises shell-invocable operations but declares no permissions or capability requirements, which weakens governance and informed consent around actions that can affect external systems. Even though the visible content is documentation-oriented, the examples imply command execution that can send emails or modify subscriber state, so the lack of declared permissions is a real security and safety gap.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: A description-behavior mismatch is dangerous because users may authorize the skill for one purpose while it performs additional data access or local file-writing behaviors they did not expect. Here, the claimed scope is generic email automation, but the detected behavior includes subscriber-data retrieval, reporting, local draft creation, and provider-specific functionality, which increases the chance of unintended data exposure or misuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The deployment guidance recommends auto-enrolling buyers into email sequences and integrating buyer-list data flows, but it gives no consent, notice, lawful-basis, or unsubscribe/compliance guidance. In an email automation context, this can lead to unauthorized marketing, privacy violations, and regulatory exposure under anti-spam and data protection rules.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: An unconstrained skill with empty trigger patterns and no activation restrictions can be invoked too broadly or in inappropriate contexts, increasing the risk of accidental email sends or subscriber modifications. For a skill that performs external communications and contact-list changes, loose activation boundaries materially increase misuse potential.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation omits warnings that the skill can send emails and alter subscriber records, so users may trigger actions without understanding their external impact or compliance implications. In email tooling, undisclosed state-changing behavior can lead to unauthorized outreach, mailing-list integrity issues, privacy concerns, and reputational damage.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The function sends the ConvertKit API secret in the URL query string, which is commonly logged by shells, proxies, reverse proxies, browser tooling, and monitoring systems. Even though the destination is the legitimate ConvertKit API over HTTPS, placing credentials in URLs increases the chance of credential leakage beyond the intended recipient.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The subscriber-fetching function again includes the API secret in the request URL, creating the same credential-exposure risk through logs and intermediaries. This is especially sensitive because the endpoint retrieves subscriber data, so compromise of the secret could enable broader account access and data exposure.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The email instructs users to run package installation and activation commands directly, including a license key on the command line. This is risky because command-line arguments can be exposed via shell history, process listings, logs, or screenshots, and the template provides no warning or safer alternative. In an email automation context, recipients are especially likely to copy-paste commands without scrutiny, which increases the chance of credential leakage or unsafe execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal