Email Send

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward email-sending helper, but it can send messages and attachments using your SMTP account, so use it carefully.

Install only if you want an agent to send mail through your SMTP account. Use a dedicated app password or scoped SMTP credential when possible, keep SMTP_PASS out of prompts and files, and verify every recipient, message, and attachment before sending.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to send email via SMTP using environment-provided credentials but does not warn that message content, recipient metadata, and authentication secrets are sensitive and traverse external network infrastructure. In a lightweight automation skill, this omission can lead users or agents to send sensitive data or mishandle SMTP credentials without considering TLS requirements, logging exposure, shell history, or secret scoping.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal