Back to skill

Security audit

Cold Email Outreach

Security checks across malware telemetry and agentic risk

Overview

This skill matches its advertised cold-email purpose, but it can send contact data to third-party services and bulk add leads to an outreach campaign with little built-in review.

Review the CSV and campaign carefully before running this skill. Use only contacts you are authorized to process and contact, keep the Hunter and Instantly keys private, test with a small file first, and consider adding a dry-run or confirmation step before uploading leads to Instantly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown explains that leads are scraped, verified with Hunter, and uploaded to Instantly, which implies sending contact and potentially personal data to external services. It does not include any explicit warning about privacy, third-party data handling, or the need to ensure authorization before processing and uploading those leads.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends CSV-derived email addresses to Hunter for verification and later uploads lead details to Instantly, which is a privacy-relevant network operation. While the script logs progress, it does not disclose that personal/contact data from the CSV will be sent to third-party services, and the header comment/usage text also omits that warning.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.