Back to skill

Security audit

xCloud Agent Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate xCloud operations skill, but it needs review because it can let an agent make real hosting/account changes with persistent API tokens and the safety guidance is uneven.

Install only if you trust this xCloud publisher and intend to let an agent operate your hosting account. Use the narrowest scoped, preferably short-lived token; avoid pasting production tokens, private keys, passwords, or magic-login URLs into chat; and require explicit confirmation for deletes, restores, reboots, token revocation, sudo/firewall changes, SSL provider changes, and production deployments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (44)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents use of shell, network, environment variables, and file access capabilities, but the manifest does not declare any permissions or capability boundaries. For a deployment/hosting automation skill that can manage servers, sites, SSL, and account data via API tokens, this mismatch reduces transparency and can lead users or the runtime to grant broader trust than intended.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The performance analysis workflow iterates over all hosted domains and makes direct outbound HTTP requests to each one using curl, which goes beyond the stated xCloud API-only management scope. This can cause the agent to interact with arbitrary tenant-controlled domains, creating SSRF-like exposure, unexpected network egress, and the possibility of touching malicious or internal-facing endpoints if domain data is untrusted or misconfigured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users to export a live API token and use it in authenticated requests, but provides no warning about credential sensitivity, shell history, terminal logging, shared environments, or least-privilege scope selection. In an agent-skill context that orchestrates hosting operations, this increases the chance of accidental token disclosure or misuse against real infrastructure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to call live authenticated endpoints and inspect real JSON responses without warning that responses may contain sensitive account, site, or vulnerability data. Because this skill targets production hosting APIs, normalizing direct calls to live endpoints can expose operational data in terminals, logs, CI output, or agent transcripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to paste an xCloud API token into the chat session, which sends the secret to the model provider and exposes it within chat history and any downstream retention/logging controls. Although the file includes a brief token-safety note, it still normalizes direct disclosure of a live credential through a conversational interface, which materially increases the risk of accidental secret exposure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is broad enough to match many generic hosting or infrastructure requests, which can cause the agent to invoke a powerful operational skill in situations where the user did not clearly intend xCloud-specific actions. In this context, over-broad routing increases the chance of accidental execution of sensitive account, server, site, or SSL operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises management of servers, sites, WordPress, SSL, API tokens, and infrastructure operations without an upfront warning that some actions may be destructive or security-sensitive. In an agent setting, lack of clear caution can lead users to trigger high-impact changes without understanding consequences such as outages, privilege changes, token creation, or configuration drift.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill requires all user-facing replies to use xCloud branding and a fixed header/footer format, regardless of user preference or higher-level conversational context. This is a prompt-steering issue because it constrains the agent's output style in a way that can override user intent, obscure neutrality, and make the assistant appear vendor-controlled rather than user-directed.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file mandates that every progress line and action sentence begin with 'xCloud', enforcing a rigid narration pattern on all operational output. This is dangerous because it is an instruction-layer takeover of the assistant's wording, reducing transparency about what is system-driven versus skill-driven and potentially interfering with normal safety, UX, or policy-compliant responses.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The startup banner and mandatory branded greeting force a specific first-response payload even when the user did not request it. This is a vulnerability because mandatory boilerplate can crowd out relevant safety/setup information, create deceptive product affiliation signals, and reduce the assistant's ability to respond minimally or according to user preferences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly demonstrates switching a site to password-based SSH authentication and includes an inline password field without any warning about secret handling, logging exposure, shell history leakage, or the relative weakness of password auth compared with public-key authentication. In an agent skill that can automate hosting operations, this increases the chance that users or downstream agents will pass credentials insecurely, store them in prompts/scripts, or prefer a less secure authentication mode.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill includes an example that embeds raw PEM certificate and private key material directly in a command payload, but it does not warn that this is highly sensitive secret material that must not be echoed, logged, stored in chat history, or pasted into insecure contexts. In an agent setting, this increases the chance of credential exposure through transcripts, terminal history, tooling logs, or prompt injection that asks the agent to reveal prior inputs.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The example enables ssl_search_replace during HTTPS adoption without clearly warning that it performs database content modification, which can alter WordPress data and create irreversible changes if run on the wrong site or without backups. In an agent workflow, this can normalize a state-changing operation as routine and lead to unintended data corruption or content rewrite at scale.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bulk cache purge example performs a multi-site operational change based on broad selection criteria and immediately executes it without any explicit confirmation, dry-run mode, scope preview, or warning about operational impact. In an autonomous agent context, this increases the risk of unintended mass changes, service disruption, or cache invalidation across production sites if the filter is too broad or mis-specified.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The deployment guide explicitly retrieves and prints WordPress usernames and passwords to stdout without any warning about secure handling, storage, redaction, or log exposure. In agent, CI, or shared terminal contexts, these credentials can be captured by logs, transcripts, shell history, or other observers, leading to unauthorized admin access.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The CI/CD example uses bearer tokens and posts deployment metadata to GitHub without warning that PR comments, workflow logs, and repository metadata may expose infrastructure details. While the sample does not directly echo the tokens, agentic or automated execution contexts increase the chance of accidental secret leakage or oversharing of staging URLs and environment naming conventions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The SSH deployment example writes files to a remote server and executes docker-compose commands without an explicit warning that it modifies the target system and may deploy unreviewed content. In an agent skill, this is more dangerous because users may copy or automate the workflow without realizing it performs privileged remote changes on production-like infrastructure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section instructs the agent/operator to retrieve SSH configuration from the API and directly access site logs over SSH, which exposes a sensitive operational capability without any explicit warning, approval step, or data-handling constraints. In an agent skill context, this is risky because logs commonly contain credentials, session identifiers, stack traces, PII, or other secrets, so normalizing unrestricted log access can lead to over-collection or unintended disclosure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guide explicitly says users can describe actions in plain language and Claude will automatically pick a skill. Because these skills can perform high-impact operations such as reboots, service disablement, token listing/revocation, and WordPress admin access, broad automatic routing without hard constraints increases the chance of ambiguous or unintended invocation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The usage model relies on broad natural-language prompts to trigger API-backed actions, which can misroute requests or over-assume intent. In this plugin context, misrouting is more dangerous than in a read-only skill because multiple capabilities mutate infrastructure, SSL, deployments, WordPress state, and account resources.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes revoking API tokens as a plain-language task but does not emphasize that revocation is destructive and can immediately break automations or access. In an agent-driven environment, a misunderstood request could permanently invalidate credentials without the user appreciating the consequence.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The backup restoration workflow invokes a restore operation but does not clearly warn that restoring a backup can overwrite the current site state, database, and files. In an agent skill context, this is dangerous because an automated agent may execute the sequence as a routine recovery step and cause unintended data loss or rollback of newer content.

Missing User Warnings

High
Confidence
98% confidence
Finding
The provisioning timeout section instructs users to cancel a stuck site with an HTTP DELETE request without a prominent warning that this may permanently destroy the site and associated data. This is especially risky in an agent skill because 'cancel and retry' may be interpreted as a standard remediation path and executed automatically against production resources.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guide instructs the agent to block an IP via fail2ban but does not warn that this is a disruptive security-control change that can deny access to legitimate users or administrators if the request is mistaken or maliciously prompted. In an agent-driven workflow, terse examples like this normalize taking immediate defensive action without confirmation, increasing the chance of accidental lockout or misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The staging-to-production workflow performs live-impacting operations such as changing the site domain, renewing SSL, and enabling production caching, but the documentation does not clearly warn that these actions can immediately affect production traffic and availability. In an agent skill context, omission of an explicit confirmation or safety warning increases the chance of accidental execution against a live site.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
plugins/xcloud/skills/account/tests/smoke.sh:7

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
plugins/xcloud/skills/servers/tests/smoke.sh:7

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
plugins/xcloud/skills/sites/tests/smoke.sh:7

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
plugins/xcloud/skills/ssl/tests/smoke.sh:21

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
plugins/xcloud/skills/wordpress/tests/smoke.sh:7

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
WORK_STEP_GUIDES.md:48