Cold Email Copy

Security checks across malware telemetry and agentic risk

Overview

The skill looks like a cold-email writing aid, but its documentation appears to include unrelated payment or upgrade solicitation that should be reviewed before install.

Review the SKILL.md payment, upgrade, PayPal, or crypto-related language before installing. Install only if you are comfortable with those commercial prompts being present in a cold-email writing skill, and do not send money or use wallet addresses unless they are clearly expected and independently trusted.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Low

Confidence: 94% confidence
Finding: The skill metadata presents the tool as a cold-email copy generator, but the embedded documentation introduces unrelated payment and upgrade solicitation content. This mismatch is risky because it can mislead users and agents, create undisclosed commercial behavior inside the skill, and normalize off-platform payment links and cryptocurrency addresses that are outside the declared skill scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal