Enormail

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Enormail integration that uses Membrane to manage email marketing data, with high-impact actions users should confirm carefully.

Install this only if you trust Membrane and are comfortable connecting an Enormail account through it. Require explicit confirmation before sending or scheduling campaigns, deleting lists or contacts, unsubscribing contacts, or using raw proxy requests, and verify target names, IDs, and recipients first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises destructive actions such as deleting lists and contacts without any guidance to require explicit user confirmation or to verify identifiers before execution. In an agent setting, this increases the chance of accidental irreversible data loss from ambiguous prompts or mistaken entity selection.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The proxy request feature allows arbitrary API calls through an authenticated connection, but the documentation does not warn about sending sensitive data, accessing unsupported endpoints, or performing high-impact state-changing operations. In a tool-using agent, this broad escape hatch can bypass safer pre-built actions and increase the risk of over-collection, unintended writes, or misuse of connected account privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal