Proxmox Ops

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Proxmox administration skill with powerful infrastructure operations, but the sensitive behavior matches its stated purpose.

Install this only if you want an agent to help administer your Proxmox environment. Use a least-privilege API token, protect and rotate ~/.proxmox-credentials, prefer trusted TLS certificates over curl -k, replace example passwords with secure secrets or SSH keys, and manually verify VMID, node, backups, and intent before stop, reboot, resize, rollback, delete, or provisioning actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file includes VM/container deletion examples, including a force-delete variant that purges disks, but does not place an explicit warning immediately рядом to emphasize irreversibility and data loss. In an ops-focused skill, users may copy-paste these commands directly, increasing the chance of accidental destructive actions against production workloads.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The LXC creation example sends authentication headers and embeds a literal root password value (`password=changeme123`) without a clear credential-handling warning. Even as documentation, this normalizes insecure secret practices and may lead users to reuse weak/default passwords or expose credentials in shell history, process listings, logs, or shared notes.

Session Persistence

Medium

Category: Rogue Agent
Content: ## First-Time Setup Create a credential file at `~/.proxmox-credentials`: ```bash cat > ~/.proxmox-credentials <<'EOF'
Confidence: 93% confidence
Finding: Create a credential file at `~/.proxmox-credentials`: ```bash cat > ~/.proxmox-credentials <<'EOF' PROXMOX_HOST=https://<your-proxmox-ip>:8006 PROXMOX_TOKEN_ID=user@pam!tokenname PROXMOX_TOKEN_SECRET

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal