Postbox

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Postbox integration that can create and manage forms using a configured API key, with no hidden code or unrelated behavior found.

Install this only if you want the assistant to operate your Postbox account. Review proposed create, update, delete, webhook, Slack/Discord, and AI auto-reply actions before they run, do not paste API keys into chat, and inspect generated frontend changes before deploying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger description is extremely broad and explicitly says to activate even when the user does not name the tool, covering nearly any scenario involving incoming data. That can cause unintended invocation in contexts where another skill is more appropriate, increasing the chance of unnecessary external API actions and over-collection or disclosure of user data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The instruction to use the API key 'silently when present' encourages authenticated external actions without clear user-facing disclosure at the time of use. In an agent setting, this reduces transparency and can lead to surprising writes to third-party services under the user's account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal