Sunday

Security checks across malware telemetry and agentic risk

Overview

This skill transparently gives an agent its own Sunday email inbox and encrypted credential vault, with sensitive but disclosed access that matches its purpose.

Install only if you are comfortable giving the Sunday CLI ongoing access to an agent-owned inbox and credential vault. Verify the Homebrew tap and Sunday service before use, protect ~/.sunday/config.json like a password vault, and avoid letting agents print decrypted passwords, OTPs, or verification links unless the task specifically requires it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup (One Time) 1. **Create a Sunday account** at [sunday.ravi.app](https://sunday.ravi.app). Set up your encryption PIN and create an Identity (this gives your agent its own email address). 2. Install the CLI:
Confidence: 91% confidence
Finding: Create a Sunday account** at [sunday.ravi.app](https://sunday.ravi.app). Set up your encryption PIN and create an Identity (this gives your agent its own email address). 2. Install the CLI: ```bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal