Back to skill

Security audit

Sendflare

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Sendflare email skill, but it can send real emails from parsed natural-language commands without a separate confirmation step.

Install only if you trust the publisher and are comfortable giving this skill a Sendflare API token. Use a limited or revocable token if possible, avoid sensitive message content, and manually verify the recipient, subject, and body before issuing send commands because the skill does not ask for a separate confirmation before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The privacy statement says the skill only accesses contact information when sending email, but the documented features also include listing, saving, and deleting contacts. This creates a misleading disclosure about data access and processing scope, which can cause users to authorize broader personal-data operations than they reasonably expect.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Using a bare help trigger like '帮助' is overly generic and can be invoked during normal conversation unrelated to this skill. This increases the chance of accidental activation, which may expose capabilities, cause unintended actions, or confuse users about which system is responding.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill documents free-form commands like '发送邮件给...' and '获取联系人列表' without clear trigger boundaries, making it easier for ordinary user text to be interpreted as a command. In a skill that can send emails and manage contacts, ambiguous invocation raises the risk of accidental outbound communication or unintended contact operations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The help trigger is documented as a bare, generic term ("帮助" / help), which can easily overlap with normal user conversation and unintentionally invoke the skill. In a skill that can send emails and manage contacts, accidental activation could expose contact data or cause unintended outbound actions if subsequent utterances are interpreted as commands.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation does not clearly warn users that email contents, recipient addresses, and contact-management data are transmitted to the external Sendflare service. This creates a privacy and data-handling transparency issue: users may provide sensitive personal or business information without realizing it leaves the local agent context and is processed by a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill will send an email directly from untrusted user-provided natural-language content once the intent regex matches, without any confirmation, recipient allowlisting, or approval gate. In an agent setting, this can be abused through prompt injection, social engineering, or accidental triggering to send unauthorized outbound email containing sensitive or harmful content.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The exact trigger "帮助" is extremely generic and is likely to match routine user requests unrelated to this skill. In an agent environment, this can cause unintended invocation, confusing routing, or accidental exposure of the skill's behaviors when the user only wanted general help.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The simplified regex triggers like "发送邮件到 (.*)|发邮件给 (.*)" are broad and underspecified, making it easier for loosely phrased user input to activate the skill unexpectedly. Because this skill can perform a real external action over the network, overbroad matching increases the risk of unintended email sends or misrouted agent execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends email content to an external service immediately after parsing a natural-language request, without any confirmation, preview, or explicit disclosure at the point of transmission. In an agent setting, this increases the risk of unintended exfiltration of sensitive user-provided content or prompt-influenced actions, especially if a malicious or ambiguous message triggers email sending.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.