Back to skill

Security audit

cold-email

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cold-email skill that uses SkillBoss's API as advertised, with the main caveat that lead contact data is sent to that external service.

Install only if you are allowed to send prospect or lead data to SkillBoss. Use a scoped API key, omit optional personal fields when they are not needed, and review SkillBoss privacy, retention, and compliance terms before processing regulated or sensitive contact lists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly sends lead data, including email addresses and optionally LinkedIn/profile and company website data, to a third-party API but does not provide a clear user-facing privacy or data-sharing warning. This can cause users to unknowingly transmit personal or potentially regulated business contact data off-platform, creating privacy, compliance, and trust risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.