Back to skill

Security audit

Resume Email Sender

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Gmail helper for sending job application emails, but users should verify the resume handling and approve every send carefully.

Install only if you trust the gog Gmail tool and are comfortable granting it Gmail access. Before approving any send, check the recipient, subject, sender account, body text, and whether your resume is actually attached or pasted inline; remove the temporary email body or job-search log if it contains sensitive personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata claims it sends resumes as attachments, but the workflow explicitly says no actual file attachment is sent and instead suggests pasting resume content inline or sending it separately. This mismatch can cause users or higher-level orchestrators to disclose far more sensitive personal information than expected, since inline resume content exposes full PII directly in message bodies and may bypass user expectations about document handling.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation description includes broad phrases like applying to a job or emailing a company, which can match common exploratory job-search conversations rather than an actual request to send email. Over-broad triggering is dangerous because it may cause the agent to collect sensitive personal data or initiate outbound communication in contexts where the user only wanted advice, drafting help, or information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The listed activation conditions lack clear exclusion boundaries and can be interpreted broadly, especially when a user provides a company email or mentions applying. In an email-sending skill, ambiguous activation increases the risk of unintended outbound actions or premature collection/use of highly sensitive applicant data such as resumes, contact details, and cover letters.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.