Back to skill

Security audit

Tox Tunnel Ops

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for managing encrypted remote tunnels, but it recommends high-impact installer and service workflows that deserve manual review before use.

Install only if you intentionally want an agent to help deploy and manage remote-access tunnels. Review installer scripts or use verified release packages instead of piping remote scripts directly to a privileged shell, confirm every generated file path and service change, keep rules limited to exact friend keys and ports, and avoid leaving RDP, NAS, database, or admin web access running longer than needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest advertises an extremely broad set of remote-access, exposure, troubleshooting, proxying, and persistence use cases, making accidental or overbroad activation more likely. In an agent ecosystem, vague activation criteria increase the chance that sensitive networking or service-management behavior is triggered for generic requests that should have been handled more narrowly or with extra confirmation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Routing based on phrases like 'I need remote SSH access' or 'Generate the config' is too generic for a skill that can write files, install software, and enable tunnels. This raises the risk of unintended activation and escalation from harmless advice into operational changes on the local machine.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill encourages file generation, service startup, and deployment actions without a prominent upfront warning that these operations can alter the local system and create persistent background services. Users may consent to configuration help without realizing the skill also aims to perform operational changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions recommend piping a remotely fetched script directly into `sh` or `iex` as the preferred installation path, without prominently telling users to review or verify the script first. This creates a classic supply-chain and remote-code-execution risk: if the source, transport, repository, or account is compromised, users may execute attacker-controlled code immediately, often with elevated privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document gives step-by-step instructions to expose a NAS/home lab's administrative and file-sharing services for remote access, including DSM/web UI, SSH, and SMB, but does not prominently warn about the sensitivity of those services or the risks of exposing admin interfaces and file shares beyond the local network. In this context, the tunnel is intended for legitimate remote access, but the guidance could still lead users to widen access to highly sensitive services without hardening, least-privilege rules, or authentication cautions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document provides step-by-step instructions for exposing an interactive desktop session over the tunnel but does not warn that RDP/VNC access can grant full remote control of the target machine and expose sensitive on-screen data, clipboard contents, mounted drives, and credentials. In the context of a tunneling tool designed for NAT traversal and remote access, omitting this warning increases the chance that users will enable broad desktop access without understanding the security and privacy consequences.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document encourages forwarding internal web applications such as admin panels, Grafana, Prometheus, Webmin, Jenkins, and GitLab into a locally accessible browser session, but it does not explicitly warn that this grants direct access to sensitive interfaces from the client machine. In the context of a remote-access tunneling skill, that omission can lead users to expose privileged management surfaces to any local user, local malware, or browser-based session already running on the endpoint, increasing the chance of unauthorized access or accidental administrative actions.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The HTTPS guidance suggests editing /etc/hosts to override local name resolution without warning that this is a privileged system file and that incorrect entries can redirect traffic or interfere with other applications on the machine. While not a direct exploit by itself, in a tunneling tool that intentionally reroutes access paths, silent hostfile modification guidance can cause confusion, misrouting, and persistence of unsafe local overrides after testing is complete.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section instructs the agent to perform privileged installation and service-management actions that modify the host, but it does not clearly require explicit user confirmation immediately before those changes. In an agent setting, that increases the risk of silent package installation, privilege escalation prompts, and persistence being applied on the user's machine without sufficiently clear consent boundaries.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The file-generation section tells the agent to generate and write configuration files, but it does not warn that files will be written to disk or require approval for chosen paths. In an agent workflow, silent file creation can overwrite existing configs, leak secrets into predictable locations, or stage later privileged execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.