NEXUS Email Compose

Security checks across malware telemetry and agentic risk

Overview

This is a remote paid email-drafting skill that is mostly disclosed, but its broad auto-invocation and payment authority need review before use.

Install only if you intend to use NEXUS as a paid remote drafting provider. Confirm before any paid request or payment transaction, set clear spending controls, and avoid sending secrets, regulated data, or sensitive personal/business communications unless that external processing is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The README states the skill is 'automatically invoked ... when a matching task is detected' without defining concrete trigger boundaries or requiring explicit user confirmation. For a skill that sends user input to a remote paid service, vague auto-invocation increases the risk of unintended data disclosure and unauthorized charges.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill documentation does not clearly warn users that prompts and message content are sent to an external hosted service. This can cause users or downstream agents to provide sensitive business or personal content without informed consent, creating confidentiality and compliance risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal