Back to skill

Security audit

Postmark Email

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Postmark email-management skill that uses ClawLink for authentication and asks for confirmation before write actions.

Install only if you trust ClawLink to broker access to your Postmark account. Review any create, update, delete, suppression, webhook, template, or server-configuration action before confirming it, and do not paste real API tokens or authorization headers into chat examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook creation example embeds a plaintext credential placeholder (`Bearer secret_token`) directly in the skill documentation without any warning not to paste real secrets into chat, logs, or examples. In this skill's context, users are explicitly guided to configure live Postmark integrations and webhooks, so normalizing inline secret handling increases the chance that real bearer tokens will be copied into unsafe places or retained in conversation history.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.