Mailersend

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Mailersend integration, but it allows broad authenticated email-account actions without clear confirmation safeguards.

Review before installing. Use a least-privileged Mailersend/Membrane connection, avoid exposing sensitive recipient or message data unnecessarily, and require explicit approval before sending emails, editing recipients/templates/domains/tokens/users, deleting resources, or making raw proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents arbitrary proxy requests to the external Mailersend API without requiring any user-confirmation guidance or warning that data supplied to the command will be sent to a third-party service. This increases the chance that an agent could forward sensitive content, query high-risk endpoints, or perform state-changing operations through the proxy based only on loose user prompts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal