Emailoctopus

Security checks across malware telemetry and agentic risk

Overview

This EmailOctopus integration is coherent, but it gives an agent account-changing email marketing powers without enough built-in safeguards for deletes or raw API requests.

Review this skill before installing if the EmailOctopus account contains production mailing lists or customer data. Use it only with the intended account, and require explicit confirmation before deletes, automation starts, bulk updates, or raw proxy requests; have the agent show the exact action, list/contact IDs, and expected effect first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly advertises destructive operations such as Delete Contact and Delete List without any accompanying guidance to require user confirmation, verify scope, or warn about irreversible effects. In an agent setting, this increases the chance of accidental or over-broad destructive actions being executed on a user's mailing data, especially if the agent interprets a vague request too aggressively.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal