Shitty Email

Security checks across malware telemetry and agentic risk

Overview

This skill transparently creates temporary inboxes through one external email service, with no hidden code or unrelated behavior found.

Use this for low-risk temporary signups, testing, and disposable verification flows. Do not use it for password resets, important account recovery, regulated data, private correspondence, or accounts you need long-term control over. Treat the inbox token like a temporary password and confirm you no longer need the messages before deleting the inbox.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill encourages use of an external disposable email service but does not prominently warn that user data, message contents, and verification emails will be sent to and stored by a third-party provider. This creates a real privacy and security risk because users may unknowingly route sensitive signup flows, links, or codes through an untrusted external inbox.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal