Constant Contact

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Constant Contact integration that can change marketing data, but its artifacts clearly describe that authority and require explicit confirmation for writes.

Install only if you intend to let an agent administer a Constant Contact account through Maton. Treat it as live-account access: set MATON_API_KEY carefully, verify the Maton-Connection header when multiple accounts exist, and approve only specific write, delete, bulk, send, or schedule actions after reviewing the affected resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents create/update actions and a generic proxy request capability without an explicit warning that these operations can modify, overwrite, or delete Constant Contact data. In an agent setting, this increases the chance of unintended state-changing actions being executed without clear user awareness or confirmation, especially when proxy requests can reach destructive API endpoints beyond the listed safe reads.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal