DoubleTick

Security checks across malware telemetry and agentic risk

Overview

DoubleTick is a disclosed Gmail email-tracking skill, but users should treat it as privacy-sensitive before sending tracked messages.

Install only if you want an agent-accessible tool that can send Gmail messages with open tracking. Review OAuth/login prompts, confirm each recipient and message before sending, and use tracking only where it is lawful and allowed by your organization or recipients' expectations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly enables covert email-open tracking by injecting a tracking pixel and exposing recipient open data, but it does not warn users about the privacy, consent, and compliance implications of monitoring recipients. In many contexts this can facilitate undisclosed surveillance or violate workplace policy, anti-spyware expectations, or privacy regulations, especially because the feature is presented as a normal productivity tool without safeguards or disclosure guidance.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal