Cinematic Business Card Prospecting

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This sales automation skill appears purpose-aligned, but it handles personal contact data and can send real outreach emails without enough disclosed privacy, consent, credential, or anti-spam safeguards.

Review this carefully before installing. Use only with contacts you are allowed to process and message, prefer a test mailbox or sandbox first, avoid bulk sending until you have unsubscribe/opt-out handling and rate limits, and do not provide primary email credentials unless you understand where they are stored and used.

SkillSpector (4)

By NVIDIA

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes automated extraction of contact details from business cards, external company research, and outbound prospecting without any visible notice about consent, lawful basis, retention, or handling of personal data. In a lead-generation skill, this omission materially increases the risk of privacy misuse, unauthorized profiling, and non-compliant outreach because users are encouraged to operationalize personal data processing immediately.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick-start instructions include commands for sending outreach emails and recommend SMTP credentials, but provide no warning about mass outbound actions, sender reputation, account suspension, anti-spam compliance, or the sensitivity of email credentials. In this context, users may connect a real mailbox and send prospecting campaigns without understanding operational and compliance risks, leading to spam complaints, credential exposure, or account abuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly promotes extracting contact data from business cards, performing external business research, tracking responses, and sending branded outreach emails, but it does not disclose what personal/business data is transmitted, stored, or shared with third-party services. In a sales automation context, this omission can lead users to process personal contact information and company data without informed consent, adequate notice, or compliance safeguards, creating privacy, legal, and reputational risk.

Vague Triggers

Low

Confidence: 85% confidence
Finding: The description claims broad capabilities like business card prospecting, researched leads, and branded email outreach without defining user consent boundaries, data handling limits, or when these actions occur. In a sales automation skill that processes contact details and can send emails, vague capability language increases the risk of unauthorized outreach, privacy misuse, and operator misunderstanding about what the skill may do automatically.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal