Sequenzy

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Sequenzy operations guide whose account, email, and API-key capabilities are disclosed and aligned with its purpose, but users should handle secrets and live sends carefully.

Install only if you want an agent to operate a real Sequenzy account. Review recipient addresses, audience size, campaign timing, subscriber mutations, deletions, and API-key creation before running mutating commands, and store any returned API keys in a secret manager or environment variable without pasting them into shared chat or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents `sequenzy api-keys create` and notes that the raw key is only returned on creation, but it does not instruct the agent to treat that value as a secret, avoid echoing it back unnecessarily, or ensure the user securely captures and stores it immediately. In an agent context, this increases the risk that a newly created credential is exposed in chat history, logs, terminal transcripts, or other shared output, leading to unauthorized API access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal