Back to skill

Security audit

Sendspark

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Sendspark connector that can read and make limited, user-confirmed changes through OOMOL, with no evidence of hidden or malicious behavior.

Install this only if you intend to let Codex use your OOMOL-connected Sendspark account. Review payloads before approving write actions such as creating campaigns or adding prospects, and do not run setup/authentication steps unless the oo CLI or Sendspark connection is actually missing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The description says to use this skill for "ANY Sendspark request" and "instead of calling the API directly," which creates an overly broad invocation scope. That can cause the agent to route all Sendspark-related tasks through a shell-backed connector skill, including sensitive or state-changing operations, increasing the chance of unintended writes, excessive trust in the skill, and misuse in contexts where a narrower tool or direct, constrained integration would be safer.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.