Agentic Letters

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it can immediately send paid physical mail containing user documents and addresses without a built-in final confirmation step.

Install only if you trust agentic-letters.com with PDFs, postal addresses, account metadata, and a bearer key that can spend mailing credits. Before each send, require the agent to show the final document, recipient, country, and credit impact, then approve explicitly. Periodically delete old local records if recipient data should not remain on disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation indicates it can read environment secrets, read/write local files, and make network requests, but those capabilities are not explicitly declared in a permission model. That reduces transparency and makes it harder for a host agent or user to understand that API keys, PDFs, addresses, and local records will be accessed and transmitted externally. In this context, those capabilities are expected for a mailing integration, but the lack of explicit declaration is still a real security weakness because the skill handles sensitive personal data and persistent local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The manifest frames the skill as sending physical letters in Germany, but the documented behavior also includes account-wide listing, credit checks, status lookups, and local record persistence. That mismatch matters because an agent may invoke the skill expecting a narrow one-shot send operation while the skill can also reveal account metadata, enumerate prior letters, and store recipient information locally. The exposed `--country` parameter further weakens the Germany-only claim, creating ambiguity about delivery scope and data transfer boundaries.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill manifest advertises only sending physical letters, but the CLI also exposes account-level operations to list all letters and check remaining credits. In an agent context, this scope mismatch can cause the agent to access or reveal broader account data than the user intended, violating least privilege and increasing the chance of unintended data exposure.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The manifest states Germany-only usage, but the code accepts arbitrary country codes and forwards them directly to the API. In an agentic environment this can bypass policy or user expectations, enabling unintended international mail dispatch, higher costs, or compliance issues.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger guidance includes very broad phrases such as 'send a letter' and similar wording, which can cause the skill to activate in situations where the user did not intend to transmit a real document and postal address to an external service. In this skill, unintended invocation is more dangerous than usual because activation may lead to generating a legal notice, consuming paid credits, transmitting PII, and creating a physical mail action that cannot be easily undone.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill handles highly sensitive data: PDF document contents, recipient identity, postal address, and account usage metadata, all of which are sent to an external mailing API and then physically mailed. Without an explicit user warning and consent checkpoint, users may unknowingly authorize disclosure of personal or legal documents to a third party, creating privacy, compliance, and irreversible action risks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool sends base64-encoded PDF contents and recipient PII to a third-party API as part of normal operation, but the CLI flow provides no explicit disclosure or consent checkpoint. In an AI-agent setting, users may not realize highly sensitive document contents and addresses are leaving the local environment, creating privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill stores local JSON records containing recipient name, street, postal code, city, and other metadata under the workspace without warning the user. Persistent storage of PII can expose sensitive data to other local processes, future agent runs, backups, or users sharing the environment.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup ```bash mkdir -p ~/.openclaw/secrets echo 'AGENTIC_LETTERS_API_KEY=al_your_api_key' > ~/.openclaw/secrets/agentic_letters.env ```
Confidence: 87% confidence
Finding: mkdir -p ~/.openclaw/secrets echo 'AGENTIC_LETTERS_API_KEY=al_your_api_key' > ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal