Back to skill

Security audit

Brevo

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal Brevo email-marketing API helper, but users should treat its email and contact-management actions as real business changes.

Install only if you intend to let your agent work with Brevo. Keep the API key scoped appropriately, review recipient lists and contact changes before execution, and avoid running bulk email, import, update, or delete examples without explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill enables high-impact external actions such as sending emails and creating, updating, or deleting contacts, but it does not prominently warn that these actions transmit customer data to a third-party service and may cause irreversible business changes. In an agent context, missing guardrails can lead to accidental bulk messaging, contact deletion, or unintended disclosure of personal data.

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"Skipped (unsubscribed): {email}")
            continue
        
        r = requests.post(f'{BASE}/contacts', headers=HEADERS, json={
            'email': email,
            'listIds': [list_id],
            'updateEnabled': True
Confidence
91% confidence
Finding
requests.post(f'{BASE}/contacts', headers=HEADERS, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.