Security audit

Delivery Notifier

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent delivery-notification purpose, but it handles private Gmail contents and forwards shipment details to a hard-coded WhatsApp number with weak safeguards.

Review before installing. Only use this with a mailbox and WhatsApp recipient you control, replace the hard-coded phone number, remove or disable the debug script, and minimize stored state so full email bodies are not printed or retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script reads Gmail credentials from environment variables and immediately uses them to authenticate to a live mailbox, granting access to sensitive account contents. In the absence of clear, justified skill context, mailbox access is a high-risk capability because it can expose private communications and enable unauthorized data collection.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The debug logging prints raw IMAP fetch responses and then extracts and returns full email bodies, subjects, and sender data. This exposes sensitive mailbox contents to logs and stdout, which are commonly retained, shared, or collected by surrounding systems, turning ordinary debugging into a data leakage path.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description states it will scan Gmail contents, extract delivery details, and forward them to WhatsApp, but it does not prominently warn users about the privacy implications of reading inbox data and transmitting potentially sensitive purchase information to a third-party messaging channel. This can lead users to enable the skill without informed consent, increasing the risk of unintended disclosure of personal data such as sender identities, order references, and delivery status.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script forwards email-derived content, including subject lines and tracking data, to an external WhatsApp target without any consent gate, destination validation, minimization, or clear disclosure. This creates a real confidentiality risk because sensitive delivery information from a mailbox is automatically exfiltrated to a third-party messaging channel and a hardcoded phone number.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script fetches message content and prints detailed response data without any notice, consent flow, or user-facing disclosure that private emails will be processed and exposed in output. This is dangerous because operators or downstream tooling may unknowingly collect confidential email contents, creating privacy, compliance, and credential-reset interception risks.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: Reading email credentials from environment variables is not inherently insecure by itself, but here it supports direct access to a sensitive mailbox without any visible disclosure, justification, or safeguards. In this context, the hidden use of mailbox credentials increases the risk of surprise data access and misuse of powerful account secrets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal