exe-dev

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only reference for managing exe.dev VMs, with disclosed commands that can create or expose cloud resources but no hidden code or exfiltration behavior.

Use this skill as a command reference. Before allowing an agent to run any exe.dev command that creates a VM, changes a port, makes a VM public, invites a user, generates a share link, changes domains, or updates Shelley, ask it to show the exact command and confirm the target VM, intended audience, and cost or exposure impact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill provides direct commands to create VMs and make them public (`new`, `set-public`, share links, add users) without any confirmation guidance, authorization checks, or warnings about exposing services and data. In an agent context, this increases the risk of unintended infrastructure creation, public exposure of internal apps, and unauthorized sharing if the skill is invoked too eagerly or by mistake.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal