Kibana Data Views

Security checks across malware telemetry and agentic risk

Overview

This Kibana administration skill is mostly purpose-related, but it includes broad live delete/repair actions, direct cluster troubleshooting, and exposed credential guidance that users should review before installing.

Install only if you intend to give the agent administrative control over Kibana data views and related observability configuration. Before use, replace the hardcoded host and credential guidance, prefer HTTPS and scoped credentials, run dry-runs first, export or back up affected saved objects, and require explicit human confirmation before delete, cleanup, recreate, kubectl, or direct Elasticsearch operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill clearly instructs network access to Kibana and related services, but no declared permissions are shown to constrain or make that capability explicit. Undeclared network capability increases the chance that an agent can make outbound requests to internal infrastructure without proper review, which is especially risky given the hardcoded internal host and admin-oriented API actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior exceeds the stated purpose of simple data-view management by adding Omni-Monitor-specific remediation, proxy usage, predefined targets, and operational recovery workflows. This mismatch is dangerous because operators may approve a seemingly narrow skill that actually enables broader diagnostic and destructive actions against internal Kibana and Elasticsearch components.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The documentation expands from data-view CRUD into validation workflows and direct Elasticsearch/.kibana troubleshooting, which materially broadens the operational surface area of the skill. Scope expansion makes it easier for an agent or user to justify actions against backend stores that were not expected when approving a data-view-management capability.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill includes direct Kubernetes and Elasticsearch access instructions, including querying the .kibana index from inside the cluster. That goes well beyond managing Kibana data views and could expose sensitive metadata, enable unauthorized backend inspection, or encourage privilege escalation through cluster-admin style workflows.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Documenting the Kibana console proxy introduces a more general request-forwarding capability than the listed data-view endpoints. A proxy pattern can be repurposed to reach broader Kibana APIs than intended, undermining the principle of least privilege and making misuse easier.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill documents destructive delete functionality with no warning, confirmation requirement, or rollback guidance. In an agentic context, presenting deletion as a routine operation without safeguards increases the risk of accidental removal of data views that dashboards and saved objects depend on.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The authentication guidance permits session cookies or Basic auth while the examples use plain HTTP, but provides no warning about credential exposure. This can lead users or agents to send reusable credentials over unencrypted transport to an internal service, enabling interception or session theft.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The troubleshooting example embeds hardcoded Elasticsearch credentials directly in a command. Hardcoded secrets in documentation are dangerous because they may be copied into automation, exposed in logs or shells, and reused by unauthorized parties to access sensitive backend data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal