Nylas Email, Calendar & Contacts

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Nylas email/calendar integration, but it deserves Review because it can read sensitive account data and perform real send, update, and delete actions across auto-discovered accounts without documented confirmation guardrails.

Install only if you trust the Nylas plugin package and are comfortable granting the agent access to the connected accounts behind your Nylas API key. Use the narrowest Nylas grants/scopes possible, avoid broad multi-account keys when unnecessary, and manually confirm any email send, attendee change, event update, or deletion before allowing the action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises tools that can send emails and create, update, or delete calendar data, but it does not prominently warn users that these operations can cause real-world side effects. In an agent context, this omission increases the risk that a user or downstream system invokes destructive or externally visible actions without clear informed consent, especially across multiple connected accounts.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal