Instantly Campaign Launcher

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses an Instantly.ai API token to create or reuse an email campaign and upload the user's lead list to Instantly.

Install and run this only if you intend to let it use your Instantly API token to create campaigns and upload lead contact data to Instantly.ai. Test with a small lead file first, keep the token out of committed config files, and make sure you have permission and a lawful basis to upload and contact the leads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to import lead records and use an external API, but it does not clearly warn that personal/business contact data from `leads.json` will be transmitted to Instantly.ai. This creates a real privacy and compliance risk because users may provide contact data without understanding that it leaves their local environment and is processed by a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal