email-designer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only email design skill, with the main caution that generated emails may reference remote fonts or images.

Safe to install for HTML email template generation. Review generated emails before sending, especially any Google Fonts or Unsplash links, and replace remote assets with approved company-hosted images or fonts when privacy, branding, or deliverability requirements matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description and trigger condition are broad enough that ordinary requests about email content, outlines, or EDM creation could invoke this skill unintentionally. Over-broad activation can route unrelated user input into a rigid HTML-generation workflow, causing misfires, policy bypass of user intent, or unintended external-content generation behaviors.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: The skill is authored entirely in Chinese and implicitly assumes Chinese output/interaction without offering language selection or honoring the user's language. This can cause incorrect-language responses, degraded usability, and accidental mishandling of user requests, though it is primarily a quality and safety-of-operation issue rather than a direct security flaw.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal