Send Email

Security checks across malware telemetry and agentic risk

Overview

This email-sending skill mostly matches its purpose, but it asks for email credentials in chat and defaults to a shared sender account without asking the user first.

Review carefully before installing. Use only accounts you control, prefer revocable app passwords or SMTP tokens, avoid pasting primary account passwords into chat, and confirm the sender, recipient, subject, body, template path, and every attachment before allowing any email to be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The invocation description uses very broad triggers like 'send a notification' and 'send files via email,' which can cause the skill to activate for routine requests without sufficient user intent verification. In a skill that can exfiltrate files and solicit credentials, overbroad activation materially raises the chance of unintended or unsafe execution.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill directs the agent to collect sensitive credentials for multiple providers but does not include explicit warnings about the risks of sharing passwords, app passwords, authorization codes, or API keys in chat. This is dangerous because users may disclose live secrets into logs, transcripts, or intermediary systems, enabling account compromise and downstream abuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill highlights attachment support without clearly warning that local files may be read from disk and sent to external recipients. In practice, this can lead users to authorize email actions without understanding that arbitrary local content may be exposed outside the environment.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill instructs the agent to default to a shared sender account and then ask the user for that account's authorization code directly in conversation. This normalizes disclosure of a highly sensitive credential for a non-user-owned account, creating serious risk of credential theft, account abuse, and unauthorized email sending.

Ssd 3

High

Confidence: 99% confidence
Finding: The provider setup instructions repeatedly direct the agent to solicit passwords, app passwords, SMTP authorization codes, and API keys in plain conversation. Collecting live secrets this way is unsafe because chat logs, observability tooling, and other platform components may retain them, enabling account takeover and persistent misuse.

Ssd 3

High

Confidence: 98% confidence
Finding: The examples explicitly show users providing app passwords, account passwords, and authorization codes in the transcript, which trains both developers and end users to treat this as acceptable behavior. This increases the likelihood of real credential disclosure and compromises across email providers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal