DevOps Insight

Security checks across malware telemetry and agentic risk

Overview

This DevOps incident skill is mostly transparent, but it combines broad production access with automatic external publishing and write-capable workflows that need careful review.

Review before installing. Use dedicated read-only or least-privilege credentials for Kubernetes, databases, monitoring, GitHub, and ticketing; disable EvoMap heartbeat and autoPublish unless external sharing is intended; require manual approval for every ticket update, branch, commit, PR, monitoring change, or publication; and redact logs, service details, code diffs, and customer data before anything leaves your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The README expands the skill from incident analysis into code review and optional auto-fix/PR submission, which are materially different capabilities with write-side impact on external systems. This mismatch can mislead users and integrators about the skill's effective privilege and behavior, increasing the risk of unintended repository modifications or overbroad deployment in sensitive environments.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Automatic fix generation and PR submission introduce a powerful write capability that goes beyond passive incident analysis and can directly alter source code and engineering workflows. In a DevOps/SRE context with production relevance, this is more dangerous because flawed or prompt-influenced changes could be proposed or merged into critical systems under the guise of remediation.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The README advertises capabilities that extend beyond passive incident analysis into code review and optional auto-fix with PR submission. Expanding a skill from analysis into code-changing behavior increases risk because users and integrators may grant broader permissions than expected, enabling unintended repository modifications or unsafe automation during incident response.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill manifest frames the capability as incident analysis and ticketing, but the body expands into operationally sensitive actions including automated code changes, pull requests, and monitoring/configuration modifications. This creates a scope mismatch that can cause users or orchestration systems to invoke the skill with lower perceived risk than its actual capabilities, enabling unexpected write actions in production-adjacent systems.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Publishing incident-derived Capsules and tracking network reputation introduces outbound data sharing that is not necessary for core incident investigation. In a DevOps context, monitoring data, root causes, affected services, and code diffs can contain sensitive operational details, so undisclosed external dissemination raises confidentiality and supply-chain exposure risks.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Automatic promotion and auto-publishing allow the skill to transmit high-confidence outputs to an external network without human review. Confidence thresholds do not prevent leakage of sensitive incident details or flawed remediation artifacts, and automation increases the chance of rapid, repeated disclosure across incidents.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The documented automated fix workflow includes generating code, creating branches, submitting PRs, and updating tickets, which materially exceeds a skill described for analysis and ticketing. In practice this turns a diagnostic skill into a change-capable agent, increasing the risk of unauthorized repository modifications, malicious prompt-induced changes, or accidental remediation based on incomplete analysis.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README describes creating tickets automatically and optionally submitting fix PRs without prominent user-facing warnings about side effects, approvals, or target systems. This can cause users to invoke the skill expecting analysis-only behavior while it performs state-changing actions in ticketing or source control platforms, which is especially risky in operational incident workflows.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation describes automatic ticket creation and optional auto-fix PR submission without prominent warnings that these actions modify external systems. In a DevOps/SRE context, such side effects are especially sensitive because they can create noisy tickets, alter operational workflows, or push risky code changes during an incident, amplifying disruption or enabling abuse if triggered by untrusted input.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example input 'Production /api/users endpoint response time suddenly increased, help me analyze the cause' is broad natural language that could match many ordinary troubleshooting requests and trigger the skill without clear gating. In an agentic environment, overly broad trigger phrasing increases the chance of unintended activation against production observability, logging, and ticketing integrations, which can expose sensitive operational data or cause unnecessary actions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The outage-analysis invocation 'Help me analyze the root cause of last night's 22:00 order service outage' is still generic enough to overlap with normal conversation about incidents, especially if the broader skill metadata already covers common troubleshooting language. Because the skill discusses retrieving logs, comparing deployments, and generating reports, accidental routing could initiate sensitive incident-analysis workflows on real production data.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The phrase 'Check if there are any potential system issues' is highly ambiguous and broadly applicable to many casual requests, making it the strongest unintended-activation risk in this file. In this skill's context, that ambiguity is more dangerous because the workflow implies broad scanning across service metrics, databases, caches, and monitoring systems, which can lead to unnecessary large-scale access to sensitive operational telemetry and noisy automated conclusions.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger description is broad enough to match ordinary DevOps, monitoring, or observability conversations, which can cause over-invocation of a highly privileged skill. Because this skill can access monitoring systems, GitHub, tickets, and external publication channels, accidental activation broadens the blast radius and increases the chance of unnecessary sensitive data access or side effects.

Credential Access

High

Category: Privilege Escalation
Content: "mcpServers": { "kubernetes": { "command": "mcp-server-kubernetes", "args": ["--kubeconfig", "${HOME}/.kube/config"], "env": { "KUBECONFIG": "${HOME}/.kube/config" }
Confidence: 88% confidence
Finding: /.kube/config

Credential Access

High

Category: Privilege Escalation
Content: "command": "mcp-server-kubernetes", "args": ["--kubeconfig", "${HOME}/.kube/config"], "env": { "KUBECONFIG": "${HOME}/.kube/config" } }, "postgresql": {
Confidence: 90% confidence
Finding: /.kube/config

Credential Access

High

Category: Privilege Escalation
Content: "mcpServers": { "kubernetes": { "command": "mcp-server-kubernetes", "args": ["--kubeconfig", "${HOME}/.kube/config"], "env": { "KUBECONFIG": "${HOME}/.kube/config" }
Confidence: 88% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: "command": "mcp-server-kubernetes", "args": ["--kubeconfig", "${HOME}/.kube/config"], "env": { "KUBECONFIG": "${HOME}/.kube/config" } }, "postgresql": {
Confidence: 90% confidence
Finding: KUBECONFIG

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal