Back to skill

Security audit

Email Sequence Pack

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly an upsell page that advertises paid external templates, scripts, and email automation that are not actually included in the reviewed package.

Treat this as a review item before installing. It does not appear to contain malware or executable code, and VirusTotal/static scans were clean, but the package materially overstates what is included and directs users to paid external delivery for the real assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises capabilities such as auto-send, CSV upload, scheduled delivery, and bundled scripts, but the provided file contains only promotional text, payment links, and off-platform contact details. This is dangerous because users and agents may trust the manifest to grant or invoke capabilities that do not exist locally, creating a deceptive supply-chain pattern that can route users to unreviewed external content or purchases.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The top-level metadata claims the package includes templates, frameworks, examples, and Python/JS scripts, but those assets are not present in the reviewed file. Misrepresenting packaged functionality undermines trust in the skill and can be used to socially engineer users into obtaining external, unvetted content advertised as part of the skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.