Hide My Email

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but installation fetches unreviewed runtime code from GitHub before using broad macOS Accessibility automation.

Install only if you are comfortable trusting the upstream GitHub repository, because the reviewed bundle does not include the runtime `hme` and AppleScript files that will receive Accessibility-enabled execution. Prefer cloning and inspecting the repository over `curl | sh`, review `hme` and `hide_my_email.applescript`, and grant Terminal Accessibility only while you need this tool.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documentation omits a clear warning that generated email addresses are automatically copied to the system clipboard, which can expose sensitive data to clipboard-history tools, remote desktop sessions, or other apps with clipboard access. Because the behavior is automatic and tied to potentially privacy-sensitive aliases, users may disclose addresses unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal