Back to skill

Security audit

Cold Email

Security checks across malware telemetry and agentic risk

Overview

This is a text-only cold-email writing skill with some aggressive outreach advice, but no executable code, hidden access, or automatic sending behavior.

Install only if you want help drafting cold sales outreach. Review generated copy before sending, avoid implying internal affiliation or misleading sender identity, use only appropriate public business information for personalization, and follow applicable anti-spam, privacy, and outreach compliance rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
This JSON eval file is a manifest-type file, so vague-trigger checks apply. The expected behavior and assertion explicitly say the skill should 'trigger on casual phrasing,' but they do not constrain which phrases count or provide exclusions, creating a risk of unintended invocation on ordinary writing-help requests.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This markdown file instructs users to gather and use signals such as LinkedIn activity, job changes, talks, and website changes to personalize outreach. Although it briefly says to avoid 'over-personalizing to creepiness,' it does not provide an explicit user warning about privacy-sensitive behavior, data handling, or potential user discomfort when using personal information in outreach.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Lines L12-L16 explicitly recommend an 'Internal Camouflage Principle' and provide examples of subject lines designed to look like they came from a colleague rather than a vendor. Because this markdown file describes behavior that could mislead recipients and affect trust or organizational integrity, it should include a user-facing warning about the deceptive nature and associated compliance risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.