Esxi Debian Deploy

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ESXi VM automation skill, but it needs review because it can delete/recreate VMs and uses powerful credentials with weak host verification defaults.

Install only if you intend to let an agent administer an ESXi host. Use a lab or tightly scoped ESXi account where possible, use unique VM names, review the scripts before running, verify ESXi TLS and SSH host identity instead of accepting insecure defaults, remove the preseed ISO after deployment, protect logs/stdout containing generated passwords, and restrict or disable the telnet serial console when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documentation understates sensitive behavior: it enables password-based root SSH login, performs post-install remote reconfiguration, and includes a resize utility outside the declared scope. Hidden or insufficiently disclosed privileged behavior is dangerous because operators may authorize the skill for simple provisioning while it also makes security-impacting configuration changes that expand attack surface.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documentation claims secrets are never embedded in process arguments, yet the skill requires sshpass, which commonly exposes passwords via command-line arguments visible to local users through process listings or audit logs. This creates a realistic credential disclosure risk on the machine running the automation, especially in shared CI, bastion, or multi-user admin environments.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README prominently advertises zero-touch VM deployment and unattended installation, but it does not clearly warn users that running the skill will create and modify infrastructure resources automatically. In an agent-driven environment, that omission increases the chance of unintended VM creation, storage/network consumption, and configuration changes because an operator or downstream agent may treat the action as low-risk documentation-backed automation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference instructs operators to enable ESXi's remote serial port firewall ruleset for a telnet-backed serial console, but it does not warn that this exposes an unauthenticated, plaintext management interface on the host network. In this deployment context, that omission can lead users to open access broadly and leave it enabled, increasing the risk of console interception or unauthorized VM console access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script handles highly sensitive ESXi and guest root credentials via environment variables and sets GOVC_INSECURE=true while later using SSH with StrictHostKeyChecking=no. This disables identity verification for both the hypervisor API and guest SSH session, creating a realistic man-in-the-middle risk that could expose credentials and allow unauthorized control over infrastructure and VMs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal