Back to skill

Security audit

Oz CLI Remote Node

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent remote Oz CLI proxy with powerful user-directed remote command access and local run logging that users should handle carefully.

Install only if you trust the configured remote node and want the assistant to run Oz tasks and explicit shell commands there. Treat ! commands as real remote shell commands, turn /oz off when finished, avoid sending secrets in prompts, and periodically review or remove saved node/profile state and oz_run files that may contain sensitive prompts or URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly allows `! <command>` to be translated into arbitrary `bash -c` execution on a remote node. That goes well beyond a narrow proxy for `oz-cli` usage and enables unrestricted command execution, file access, and lateral misuse on the target node if a user or prompt injects dangerous shell input.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to persist the remote node name into `TOOLS.md` or local memory without notifying the user or obtaining consent. While not code execution, this creates undisclosed local storage of infrastructure metadata that may be sensitive in some environments and can be exposed through later workspace access or logs.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill tells the agent to save the selected Oz profile ID to memory for future runs without warning the user. Profile identifiers can reveal configuration choices or internal environment structure, and silent persistence increases the chance of unintended disclosure or reuse in later contexts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill requires creation of local tracking files containing the original prompt, run IDs, URLs, date/time, and metadata without any warning or consent. This can write potentially sensitive user content and operational links to disk, creating a durable exposure surface far beyond transient command execution.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The package description advertises the ability to run both oz-cli and bash commands on a remote node via a generic endpoint, with no indication of scope limits, authentication boundaries, or allowed command restrictions. In a skill that requests node access permissions, this broad remote-command framing materially increases the risk that the skill enables arbitrary command execution or unsafe delegation of privileged operations.

Ssd 3

Medium
Confidence
91% confidence
Finding
The run-tracking instructions create a built-in data retention mechanism for user prompts and execution metadata, which can leak sensitive natural-language content, URLs, and identifiers through local files, backups, or later workspace disclosure. In this context, the danger is elevated because the skill is a proxy for remote execution, so prompts may include secrets, commands, repository paths, or incident details.

Ssd 3

Low
Confidence
77% confidence
Finding
Persisting remote node names and profile IDs for future use introduces ongoing retention of environment metadata. The impact is lower than prompt logging, but it still creates unnecessary durable records about internal infrastructure and user preferences that may be exposed later.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.