Back to skill

Security audit

SMTP2GO

Security checks across malware telemetry and agentic risk

Overview

This SMTP2GO skill is a coherent connector wrapper with disclosed account access and user confirmation for sending email.

Install this only if you want your agent to operate your SMTP2GO account through OOMOL. Review email payloads carefully before approving send_email, and treat account activity, sender data, templates, and API key permission reads as sensitive account information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description says to use this skill for ANY SMTP2GO request and instead of calling the API directly, which is overly broad routing guidance. In an agent system, this can cause the skill to be invoked for all SMTP2GO-related tasks without sufficient narrowing, increasing the chance of unintended execution paths, unnecessary access to connected account data, or write-capable actions being selected when a more constrained path would be safer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.