Back to skill

Security audit

tencent-ses-skills

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Tencent Cloud email purpose, but it asks users to provide cloud API secrets in chat and can send email or change SES resources.

Review before installing. Do not paste Tencent Cloud SecretId or SecretKey into chat; configure them yourself through environment variables or a secret manager. Use a dedicated low-scope CAM subaccount, enable IP restrictions where possible, and require dry-run previews plus explicit confirmation before sending email, creating resources, updating templates, or deleting templates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document mandates `--dry-run` before any write operation, but examples elsewhere show direct execution of state-changing commands. That inconsistency weakens operator safeguards and makes accidental domain creation, address creation, template mutation, or email sending more likely without preview or explicit user confirmation.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The workflow says custom-content sending must be blocked unless the user confirms the account has the required permission, but the examples still present executable `send-simple` invocations directly. This can train the agent or operator to bypass the required authorization gate and attempt restricted sending actions anyway.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation about emailing, which can cause the skill to activate in contexts where the user did not intend operational email actions. In a skill with network access and credential-dependent workflows, over-triggering increases the risk of unnecessary sensitive prompts or unintended actions.

Vague Triggers

Low
Confidence
71% confidence
Finding
The DNS troubleshooting trigger language is vague and may activate on general DNS discussions rather than SES-specific troubleshooting. While lower severity than direct send actions, unnecessary invocation can still lead to unsolicited network lookups, confusing guidance, or escalation into credentialed SES workflows.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The tool exposes destructive deletion of email templates without any confirmation gate, warning, or safer workflow. In an agentic or semi-automated environment, a malformed prompt, operator mistake, or unintended invocation could irreversibly remove production templates and disrupt mail delivery or business workflows.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ask the user for SecretId and SecretKey and then configure them from the chat. This is dangerous because it normalizes collecting cloud credentials through the conversational channel, exposing secrets to the LLM/application logs and creating a direct path to credential leakage or misuse.

Ssd 4

Medium
Confidence
93% confidence
Finding
The setup flow conditions progress on obtaining API credentials from the user, making secret submission feel like the expected next step. In the context of a cloud-email skill, this increases the chance users disclose highly sensitive credentials into an unsafe channel and accept risky handling as normal.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.