Back to skill

Security audit

Sequenzy Email Marketing

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Sequenzy email-marketing integration, but it gives agents broad account-changing powers and includes unsafe guidance for canceling campaigns without confirmation.

Install only if you trust the publisher and are comfortable with the agent managing Sequenzy account data. Before using it for campaign sends, subscriber imports/removals, webhook changes, API-key creation, or campaign cancellation, require explicit confirmation and review the exact account, campaign, audience, and action to be performed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest uses extremely broad activation criteria that cover a wide range of common email-marketing and operational tasks, increasing the chance the skill is invoked in situations where safer, narrower skills or additional user confirmation would be more appropriate. Because the skill enables high-impact actions such as subscriber mutation, sending email, webhook management, and API key creation, overbroad activation expands the blast radius of accidental or premature tool use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enumerates numerous sensitive operations involving personal data, outbound communications, credentials, and destructive changes, but it does not establish a general safety policy requiring confirmation, least privilege, or privacy review before acting. In an agent setting, this omission can normalize performing impactful actions without adequate user awareness, increasing the likelihood of unauthorized sends, data exposure, or irreversible account changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance normalizes an irreversible destructive action and explicitly instructs the agent to cancel first and ask questions later, while noting there is no confirmation prompt. In an email-marketing context, canceling a scheduled or active campaign can cause immediate business disruption, loss of revenue, and unrecoverable interruption of customer communications if the agent acts on an ambiguous or mistaken request.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.