GetPost Mail and Shipping API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward shipping API instruction skill, but users should treat label purchases, API keys, and address sharing carefully.

Before using this skill with live data, verify GetPost's pricing, billing, privacy, and carrier-sharing terms. Keep the bearer API key private, prefer test or limited keys if available, and require explicit confirmation of sender, recipient, parcel, carrier, rate, and total cost before buying any label.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes examples that create accounts, request shipping rates, buy labels, and track parcels while sending names and full postal addresses to an external service, but it provides no warning about third-party data sharing, billing implications, or the need for explicit user consent. In an agent context, this can lead to unintended purchases and disclosure of personal data if an agent follows the examples automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal