outreach-pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed bulk email outreach helper, but users should treat it carefully because it can send real messages and writes recipient results to a local CSV log.

Install only if you intentionally want an agent-assisted workflow that can send real outreach emails. Use a limited app password or scoped ESP API key, start with a very small --max-per-run test, review rendered messages and recipient lists before sending, include unsubscribe or opt-out language, and protect or delete the results CSV because it contains recipient data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The script writes recipient email addresses and per-recipient send status or error details to a local CSV file without any access controls, minimization, or warning. On shared systems, this can expose personal data and potentially sensitive provider error messages to other local users or to later accidental disclosure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal