Pilot Newsletter Automation Setup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed newsletter automation setup skill, but users should treat email dispatch and subscriber data handling carefully.

Before installing, review the downstream pilot-* skills, test with sandbox or non-production recipient lists, and only connect trusted hosts. Treat subscriber data, email-provider credentials, consent, unsubscribe handling, and retention rules as your responsibility before enabling live delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README promotes automated email dispatch to subscriber segments without clearly warning operators that the workflow can send messages to real recipients and process subscriber-related data. In an agent skill meant for easy deployment, this omission increases the risk of accidental bulk email sends, privacy issues, and unintended actions against production mailing lists.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The data-flow section describes transmission of newsletter content and delivery-related information to an external email system over port 443 but provides no privacy or data-handling warning. Because this skill handles subscriber segments and delivery metrics, the missing guidance can lead users to expose personal or operational data to third-party services without understanding compliance, retention, or confidentiality implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal