Mail Blaze

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Mail Blaze integration, but it gives an agent broad authenticated access that could modify or delete live marketing data without clear confirmation rules.

Install only if you trust the publisher and intend to let an agent operate your Mail Blaze account. Use a least-privilege or test account where possible, and require the agent to show the exact endpoint, method, payload, affected records, and expected impact before any write, delete, campaign, contact, template, tag, or sequence change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents arbitrary proxy requests to an external API and emphasizes that authentication headers will be injected automatically, but it does not warn the agent to obtain user confirmation before transmitting potentially sensitive data. In an agent setting, this increases the risk of unintended data exfiltration or privacy violations because free-form requests can send user content, records, or metadata off-platform with little friction.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal