Send real Document in the Mail via PostalForm

Security checks across malware telemetry and agentic risk

Overview

This skill clearly does what it says: it helps an agent send paid physical mail through PostalForm, with disclosed payment and document-sharing behavior.

Install only if you intentionally want an agent to send real physical mail and make a payment. Use a limited wallet or capped payment client, protect wallet credentials, and verify the document, addresses, quote, network, and amount before submitting a paid order.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: This markdown file includes a payment workflow using a wallet keystore and password environment variable, which can affect funds and exposes credential-handling patterns. The section explains how to run the commands but does not include a user-facing warning about protecting wallet credentials, using test funds, or the financial consequences of submitting a paid order.

External Transmission

Medium

Category: Data Exfiltration
Content: ## Validate first ```bash curl -sS -X POST "https://postalform.com/api/machine/orders/validate" \ -H "content-type: application/json" \ --data @payload.json ```
Confidence: 60% confidence
Finding: curl -sS -X POST "https://postalform.com/api/machine/orders/validate" \ -H "content-type: application/json" \ --data

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal