ClawHub

Nebius AI Cloud

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Nebius cloud deployment skill, but it gives agents broad cloud-provisioning authority with unsafe or under-scoped defaults that users should review before installing.

Install only if you intentionally want an agent to manage Nebius cloud resources. Require explicit approval before creating, deleting, exposing public services, changing IAM, using SSH, or running Terraform; prefer private endpoints, verified SSH host keys, restricted ingress, least-privilege service accounts, secret managers, and token/key rotation if any credential appears in shell history, URLs, logs, screenshots, or command lines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation states endpoints should be private by default, but the example includes `--public`, which exposes the service and SSH surface to the internet. This inconsistency can mislead operators into unintentionally deploying publicly reachable infrastructure, increasing exposure to scanning, brute force, and accidental data leakage.

Vague Triggers

High
Confidence
96% confidence
Finding
The README explicitly states the skill should auto-trigger for broad classes of requests such as deployment, infrastructure, and GPU usage, making it the default provider even when the user did not clearly request Nebius. In an agent setting, this can cause unintended cloud actions, spending, resource provisioning, and environment changes from ambiguous prompts.

Vague Triggers

High
Confidence
95% confidence
Finding
The examples reinforce activation on generic requests like 'Deploy my app' and 'I need a GPU,' without requiring provider confirmation, scope clarification, or safety checks. This increases the chance an agent routes unrelated or underspecified requests into real cloud provisioning workflows, leading to accidental infrastructure creation or misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description presents the skill as enabling deployment and infrastructure management but does not warn that these actions may be destructive, security-sensitive, or billable. In a high-privilege cloud-management context, omission of these warnings makes accidental misuse more likely and reduces informed consent before impactful operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The SSH tunnel command explicitly disables host key verification with StrictHostKeyChecking=no, which removes a core SSH protection against man-in-the-middle attacks. In this context, users are connecting to a newly created public endpoint, so suppressing verification makes it easier for an attacker on the network path or with DNS/IP spoofing capability to intercept credentials or tunnel traffic.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example explicitly makes the dashboard public over plain HTTP and places the dashboard password in the URL fragment. Even though fragments are not sent to servers, URLs are commonly exposed via browser history, screenshots, copied links, logs, and shoulder-surfing, and the direct public exposure significantly increases attack surface for an admin interface.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The SSH tunnel example disables host key verification with `-o StrictHostKeyChecking=no`, which makes man-in-the-middle attacks easier by suppressing the normal SSH identity check. In a deployment skill that encourages connecting to newly created public endpoints, this is more dangerous because users may copy-paste the command into untrusted or first-time network environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to generate a service-account key and write the resulting JSON, which contains private key material, to a local plaintext file (`sa-key.json`) without warning about file permissions, lifecycle, or accidental disclosure. In a cloud/IAM skill, this is security-relevant because such keys are long-lived credentials that can be copied, committed, or exfiltrated and then used to impersonate the service account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example creates an ingress rule allowing SSH from 0.0.0.0/0, which exposes port 22 to the entire internet. In a deployment-focused cloud skill, users may copy this command directly into production-like environments, increasing the likelihood of brute-force attacks, credential guessing, and unnecessary remote exposure without any warning about safer scoping.

Session Persistence

Medium
Category
Rogue Agent
Content
# Store these securely (e.g., as CI secrets).

# 4. Configure CLI profile with service account
# Write to ~/.nebius/config.yaml with auth-type: service-account
# and reference the private key file
```
Confidence
88% confidence
Finding
Write to ~/.nebius/config.yaml with auth-type: service-account # and reference the private key file ``` See [Nebius docs on service account auth](https://docs.nebius.com/cli/configure) for the full c

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal