VexPath Skill Pack

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches business email automation, but it asks for broad mailbox and workspace authority, handles credentials unsafely, and includes an under-disclosed roofing cold-outreach module.

Install only after review if you are comfortable granting mailbox access, SMTP sending ability, workspace identity changes, local persistence of email/lead data, and optional VPS provisioning. Do not pass passwords on the command line; use a secret manager or interactive prompt, review heartbeat behavior before enabling it, and remove or separate the roofing/cold-outreach module unless you explicitly need it and have privacy/compliance approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (29)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This section operationalizes storm-targeted prospecting using public property records and mailing/contact data to build lead lists for cold outreach. In an agentic automation context, that enables scalable collection and use of homeowner personal data for unsolicited contact, creating privacy, compliance, and misuse risk even if the data sources are nominally public.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This script implements rooftop geocoding and solar/roof estimation logic that is materially unrelated to the skill's declared business-operations and email-automation purpose. In an agent skill, unexplained capability drift is dangerous because it can conceal unauthorized data collection, external API usage, or covert secondary functionality that operators would not expect or approve.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script requires Google Maps and Google Solar API access even though the skill description does not justify any mapping, geolocation, or solar-analysis features. This expands the skill's external communication surface and can expose user-supplied addresses and API secrets to third-party services without a clear business need, increasing privacy, compliance, and abuse risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README advertises inbox monitoring, email data extraction, lead classification, and CRM update automation without disclosing privacy, consent, data retention, or review safeguards. For a skill centered on processing communications and syncing business records, this omission can lead users to deploy it in ways that collect, transform, or propagate sensitive personal and business data without adequate controls.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation description is extremely broad and covers many routine business tasks, making accidental or excessive invocation more likely. In a skill that can touch email, scripts, external tools, and workspace files, broad routing language increases the chance that sensitive operations are triggered in contexts where the user did not intend data access or automation side effects.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The 'When to Use This Skill' section provides expansive activation criteria without boundaries, negative examples, or approval gates. Because the skill includes instructions for email configuration, inbox triage, and file-copy operations, overbroad activation can lead to unnecessary exposure of communications data or execution of operational steps when only generic advice was needed.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup checklist instructs running email setup and triage scripts on live inbox data, including using email credentials and pulling recent messages, without a clear privacy notice, retention limits, or data-handling safeguards. This is dangerous because email contents routinely include sensitive personal, financial, legal, and business information, and the skill normalizes operational access before establishing consent, minimization, or secure storage practices.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The heartbeat section defines recurring autonomous behavior ('Run these checks on each heartbeat') without a clear, explicit invocation boundary, authorization gate, or scope restriction. In an email- and calendar-connected skill, this can cause the agent to perform persistent monitoring, message drafting, and memory updates whenever a generic 'heartbeat' mechanism exists, expanding activity beyond the user's immediate request and increasing the risk of unintended access to sensitive communications.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly collects a client's primary business email address and instructs operators to record it in `TOOLS.md`, but provides no guidance on data minimization, access controls, retention, or secure handling. In this skill's context, `TOOLS.md` appears to be a workspace artifact used for configuration, so storing contact data there can unnecessarily expose sensitive business information to other tools, logs, or collaborators with workspace access.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The onboarding flow instructs the operator to 'Run setup scripts' immediately after collecting client answers, but does not disclose what those scripts do, what systems they modify, or whether client approval is required before changes are made. In an automation-focused skill that configures email, calendars, CRMs, and workflows, this omission increases the risk of unauthorized or unexpected configuration changes to production business systems.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The phrase "whenever a client says 'things feel chaotic'" is a broad, subjective invocation trigger that can cause the audit workflow to run in situations where it may not be appropriate or sufficiently scoped. In an agent skill focused on business operations and automation, this increases the chance of over-triggering, unnecessary data collection, and recommendations being generated from vague user sentiment rather than explicit user intent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow is designed to process inbox contents and extract sender identity, contact details, business needs, billing data, and contract information into downstream systems, but it provides no privacy, consent, or data-handling warning. In an email-triage skill, this omission is risky because users may enable broad processing of sensitive personal or business communications without understanding exposure, retention, or sharing implications.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The integration section instructs creating and updating CRM records, calendar events, reminders, and follow-up entries, but it does not clearly warn that approved actions will mutate external systems. That can lead to unintended record changes, duplicate entries, privacy leaks, or operational errors, especially when triage classifications are imperfect.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The guide instructs users to pass app passwords directly as command-line arguments, which can leak secrets through shell history, process listings, terminal logging, and audit tooling. Because this skill is specifically for email/operations automation, those credentials could grant ongoing access to inbox contents and outbound email capabilities.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: This section tells users to supply their direct email account password on the command line without warning about exposure risks. If captured from shell history or process inspection, an attacker could gain full mailbox access for a custom-domain account, potentially enabling data theft, impersonation, and password-reset interception.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The manual configuration example embeds passwords via `passwd.cmd = "echo 'your-password'"`, which effectively stores recoverable credentials in configuration and exposes them to anyone who can read the file. In an email-automation context, compromise of these secrets can provide persistent access to sensitive communications and sending capability.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The onboarding flow explicitly asks the user for an email address, display name, and app password, then instructs running a setup script with those credentials, but provides no consent language, minimization guidance, or secure-handling requirements. In an agent setting, this creates a real risk of over-collection and unsafe exposure of email credentials and related account access during onboarding.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document directs storing calendar connection details and business configuration in TOOLS.md without classifying which fields are sensitive or restricting what may be written there. Plaintext workspace documentation can be read, copied, synced, or exposed later, turning operational metadata into a privacy and account-security issue.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The first-triage step instructs the agent to pull and summarize the last 50 emails, but does not require an explicit user-facing notice or confirmation that mailbox contents will be accessed and analyzed. This is a privacy-sensitive operation involving potentially confidential communications, and the lack of clear consent and scope limitation makes it risky.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow stores homeowner names, addresses, email addresses, phone numbers, contact history, and reply classifications in a CRM and email triage flow without any privacy, retention, access-control, or consent guidance. In a business automation skill, this omission increases the likelihood of unauthorized processing, over-retention, and noncompliant handling of personal data at scale.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The templates normalize automated email, SMS, CRM logging, and follow-up workflows without any embedded guidance on consent, notice, data minimization, or review of communication impact. In a skill explicitly designed for inbox monitoring, triage, and workflow automation, this can lead operators to deploy customer-contact automations that process personal data and send messages without adequate transparency or safeguards.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script logs and persists sensitive lead data, including names, email addresses, physical addresses, and generated outreach content, to plaintext log and JSON files without any privacy notice, minimization, retention control, or access restriction. If these files are accessed by other local users, backup systems, log collectors, or compromised processes, they can expose PII and business-sensitive outreach data at scale.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script requires an email app password as a positional command-line argument and forwards it to another script. On most systems, command-line arguments can be exposed via shell history, process listings, audit logs, or orchestration tooling, which makes credential leakage likely during normal administration. In this skill's context, the password grants mailbox access and the skill is explicitly built for inbox monitoring and automation, so compromise could expose sensitive client communications and enable persistent account access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script persists inbox metadata, including sender names, email addresses, subjects, flags, and timestamps, to a local JSON file under the user's home directory without an explicit consent prompt or warning before storage. In an email-triage skill, this data can contain sensitive business or personal information, and local persistence increases exposure to other local users, backups, sync tools, or later unintended processing.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Passing an email app password on the command line exposes the secret through shell history, process listings, audit logs, and remote execution traces. In this skill context the script is meant for VPS provisioning and email account setup, so credential leakage could directly compromise the client's mailbox and any workflows tied to it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal