Signal Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for signal aggregation, but it reaches into Gmail and other external sources and stores collected data locally without enough scoping or user-control detail.

Review before installing. Use this only with a dedicated newsletter mailbox or tightly scoped Gmail setup, confirm what sources are enabled, inspect where databases are written, and delete stored data when it is no longer needed. The shell command construction should be fixed before accepting configurable queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_gog(query): """Run gog command and return JSON""" try: result = subprocess.run( f"gog gmail search '{query} newer_than:30d' --max 5 --json", shell=True, capture_output=True,
Confidence: 96% confidence
Finding: result = subprocess.run( f"gog gmail search '{query} newer_than:30d' --max 5 --json", shell=True, capture_output=True, text=True, ti

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises and instructs use of capabilities including network access, shell execution, and local file/database writes, but does not declare permissions or provide any guardrails. In an agent setting, this can lead to silent collection of external data, Gmail access, and persistent local storage without clear user awareness or consent.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The code persists gathered signals and generated drafts to a fixed local path under a user workspace, which expands the skill from transient aggregation into durable storage of potentially sensitive content. In this skill context, signals can come from X, Telegram, RSS, and Gmail newsletters, so writing them to disk and later aggregating them increases privacy and data-governance risk, especially because there is no consent flow, retention policy, directory creation/permission hardening, or minimization of stored content.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to configure Gmail access and notes that data is stored locally in multiple databases, but it does not warn about the sensitivity of email content, retention implications, or the local privacy impact. In a skill that aggregates newsletters and signals from several services, this omission can lead users to ingest personal or sensitive content without informed consent or appropriate safeguards.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation description is broad enough to match many generic requests about trends, content creation, research, or intelligence gathering, increasing the chance the skill is triggered in contexts where the user did not intend external monitoring or mailbox access. Over-broad routing is dangerous here because the skill spans multiple sensitive sources and can persist collected data locally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation omits warnings that the skill may access Gmail newsletters, scrape multiple external sources, and store collected content in local SQLite databases. This lack of transparency can cause users to unknowingly authorize collection of personal or third-party data, with privacy, compliance, and data-retention risks amplified by persistent storage.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill accesses Gmail/newsletter data through get_marketing_signals() without any user-facing disclosure, consent gate, or scope transparency. In this specific skill, email access is more sensitive than public RSS/X data because newsletters may include personal inbox metadata, subscription details, and other private content; silent access increases privacy, compliance, and trust risks.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: This skill accesses Gmail newsletter content via the gog CLI without any user-facing disclosure, consent, or scope limitation messaging. Because mailbox data is sensitive and may include personal or proprietary content beyond intended newsletters, silent access increases privacy and data-governance risk in an agent context.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The code collects content from external services and persists it locally in SQLite without any consent notice, retention policy, or operator-facing disclosure about what is being stored. In a marketing intelligence skill, this increases privacy and compliance risk because scraped content may contain personal data, and silent local accumulation creates an unreviewed data store that could later be misused or exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal