Badman — AI Agent Rental

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate sensitive business communications, but its artifacts under-disclose where data goes and how autonomous sends are controlled.

Install only if you are comfortable granting a business automation agent access to communications and lead data. Before use, confirm exactly which services are connected, whether any data is sent to a backend, whether past emails are ingested or retained, and make outbound sends draft-only or approval-required by default.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation claims that data never leaves the user's machine, yet the skill explicitly integrates with Gmail, WhatsApp, Telegram, and a Base44 backend. This creates a materially misleading security/privacy representation that could cause users to authorize access under false assumptions and expose sensitive business communications to third parties or remote services.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill advertises an open-source codebase that users can audit, but the same document states the product is proprietary and depends on Base44 backend infrastructure. That contradiction can mislead users into believing they can fully verify the system's behavior when key components may be closed or externally controlled.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The launch copy explicitly promotes autonomous Gmail sending and WhatsApp auto-replies, which are actions that can directly affect a user's accounts and external communications. Even though this is marketing/checklist content rather than executable code, normalizing these capabilities without clear user-consent, review, rate-limit, and account-scope warnings increases the risk that the skill is deployed or used in ways that send unintended messages, leak sensitive information, or damage user trust.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The launch plan explicitly promotes automated user-facing messaging such as drafted email replies and auto-responses on WhatsApp and Telegram, but it provides no guardrails, disclosure requirements, approval workflow, or discussion of risks like spam, incorrect outreach, or harmful unsolicited messaging. In this context, the skill is oriented toward autonomous business prospecting and marketing, which makes unintended or abusive outreach more likely and increases the chance of reputational damage, platform policy violations, or non-compliant communications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README advertises autonomous Gmail monitoring, drafting, and sending emails with attached CVs, but provides no warning about privacy, consent, account-scope, or outbound-action risks. This can mislead users into granting broad mailbox access without understanding that sensitive data may be processed or messages sent automatically on their behalf.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes automatic message responses when the user is away without warning that the agent may send autonomous outbound communications. In an agent marketed as running business tasks unattended, this increases the risk of unauthorized, inappropriate, or reputation-damaging responses being sent without meaningful user awareness.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill is designed to autonomously send emails, messages, posts, attachments, and job applications on the user's behalf, but the description does not prominently warn about the risks of automated external actions. In this context, omission is dangerous because the agent operates continuously across real accounts and could cause privacy breaches, reputational damage, spam, or unintended communications at scale.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instruction to let the agent learn from past emails implies ingestion and analysis of potentially sensitive communication history, but the documentation does not explain scope, retention, consent boundaries, or risks. This is especially sensitive because email archives often contain personal data, confidential business details, credentials, and attachments.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest describes the skill as an 'autonomous business agent' that handles prospecting, email, marketing, and lead qualification 'on autopilot' without clearly scoping triggers, approval boundaries, or permitted actions. This creates a real safety risk because an agent platform may invoke or configure the skill too broadly, leading to unintended outreach, spam-like behavior, or processing of business and personal data without explicit user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest advertises autonomous email, marketing, auto-responder, and job application capabilities but provides no warning that the skill may send external communications or act on user data. In this context, the combination of outbound messaging and autonomous operation materially increases risk of unauthorized emails, spam, privacy violations, reputational damage, and accidental contact with third parties.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal