Sendme

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward peer-to-peer file transfer skill whose file and network access match its stated purpose.

Install only if you intend to use sendme for peer-to-peer file transfer. Confirm the exact file or folder before sending, keep tickets private, receive only from trusted senders, run receive commands from a directory where new files are expected, and stop the sender process when the transfer is complete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill is scoped very broadly to common file-sharing and transfer requests, which increases the chance an agent invokes it automatically for vague prompts without first confirming destination, source, trust level, or whether file transfer is actually desired. In a security-sensitive context, broad triggering can lead to unintended exfiltration or importing untrusted content through peer-to-peer transfer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that received files are downloaded into the current directory, but it does not require an explicit warning or confirmation about where data will be written locally. That creates a risk of silently placing untrusted files or large directory trees onto disk, potentially overwriting user expectations, consuming storage, or introducing dangerous content into a working directory.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal