Outreach Demo

Security checks across malware telemetry and agentic risk

Overview

This outreach skill is mostly coherent, but it needs Review because it can send real Gmail messages and the send script does not enforce the approval gate described in the instructions.

Install only if you are comfortable with an agent preparing outreach materials and, after your approval, sending real email through a configured Gmail/gog account. Before using it, verify the sender account, use --dry-run or a manual preview first, and do not render untrusted HTML to PDF with --no-sandbox outside an isolated environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no permissions while instructing use of local scripts, config files, and environment-backed sender configuration, which implies file read/write and environment access not transparently surfaced to reviewers. This is dangerous because hidden capabilities reduce informed consent and can enable unexpected access to local data or outbound workflow execution under the guise of a simple research/drafting skill.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose emphasizes website research and draft generation, but the skill also references Gmail sending, PDF generation via headless browser tooling, and loading sender identity from environment or config. This mismatch is dangerous because operators may approve or invoke the skill expecting passive content preparation while it actually enables outbound communication and access to execution environment/configuration, increasing the risk of unintended email sends, misuse of credentials, or unsafe script execution paths.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script performs live outbound email delivery through Gmail even though the skill is described as producing approval-gated outreach drafts. That creates a capability/behavior mismatch: a user invoking a research/demo skill could unintentionally send real messages to external recipients, causing unauthorized communication, spam, privacy issues, or reputational harm.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Direct outbound email is not justified by the stated purpose of researching websites and preparing personalized prospecting materials. In this context, the ability to send mail externally expands the blast radius from content generation to real-world action, enabling accidental or unauthorized outreach from a configured Gmail account.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The script performs live email delivery via `gog gmail send`, while the skill description says it should produce an approval-gated outreach draft. That creates a capability/intent mismatch: researched content, HTML, and attachments can be transmitted externally without an explicit review-and-approve control in the script itself, enabling unintended outreach or data exfiltration.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Outbound email transmission is not necessary for website research, prospect reporting, or preparing personalized materials; it expands the skill from analysis into external action. In an agent setting, this broader capability is dangerous because generated content can be sent to arbitrary recipients, creating spam, reputational harm, and accidental disclosure risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script launches Chromium with `--no-sandbox` while rendering attacker-influenced HTML from a local file, which removes an important browser isolation boundary. If the HTML or any loaded active content triggers a browser vulnerability, code execution would occur with the privileges of the calling process, making this materially dangerous even in a demo/report-generation workflow.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends immediately once required arguments are supplied, with no interactive confirmation or user-facing warning before transmission. In a prospecting workflow, that is dangerous because generated content may be inaccurate, unreviewed, or targeted at the wrong recipient, and the skill context explicitly suggests drafts should be approval-gated.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends plain text, HTML body content, and an attachment to an external recipient without any user-facing disclosure or consent checkpoint. Because the skill processes business website research and prospect materials, the transmitted payload may include scraped data, generated claims, or internal notes, increasing the risk of unintended external disclosure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal