Security audit

xCloud Docker Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed deployment-preparation skill that contains templates and guidance, with no executable installer or hidden credential handling found.

Install only if you want an agent to help prepare xCloud deployment files. Before using generated workflows or Laravel hooks, review the exact files, use a branch or pull request, confirm staging versus production, verify backups, and do not add webhook or API secrets unless you intend the approved deployment action to run.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The workflow presents a 'Production safety gate' only as a comment, but the deploy step still executes automatically whenever the webhook secret is present. In a deployment-oriented skill, this can lead to unintended production or staging deployments without an enforced human approval step, increasing the risk of outages, misdeployments, or unsafe changes being pushed live.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The deployment steps instruct users to run `php artisan migrate --force`, which suppresses the normal production confirmation prompt and can apply schema changes immediately against a live database. Without an accompanying warning, backup guidance, or rollback strategy, users may execute destructive or incompatible migrations during deployment and cause downtime or data loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal