Security audit

goto-cloudserver-manager

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud-operations skill, but it handles powerful cloud credentials and infrastructure-changing actions with enough scoping and safety gaps that users should review it before installing.

Install only if you are comfortable granting this skill administrative cloud and server access. Use short-lived, least-privilege cloud credentials, avoid pasting production root/admin secrets into chat, review the policies before use, set production servers to a strict environment, and manually inspect any firewall/security-group change plan before confirming.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (49)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def execute(self, command: str, timeout: int = 60) -> ExecutionResult: logger.debug("local_execute", command=command[:80]) try: result = subprocess.run( command, shell=self._shell, capture_output=True,
Confidence: 97% confidence
Finding: result = subprocess.run( command, shell=self._shell, capture_output=True, text=True, timeout=timeout,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises and likely relies on sensitive capabilities including environment access, file read/write, and shell execution, but it does not declare permissions explicitly. In an automation skill that can manage cloud servers and databases, undeclared powerful capabilities reduce transparency and can bypass user expectations or platform review controls, increasing the chance of credential exposure or unauthorized system changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The top-level description frames the skill mainly as status checking, database installation, schema creation, monitoring, and health reporting, but the manifest also includes broader and more sensitive actions such as modifying security groups, configuring firewalls and WinRM, restarting instances/services, creating users, backup/restore, and seeding data. This mismatch can cause users to underestimate the operational and security impact of the skill, making risky infrastructure changes more likely under incomplete informed consent.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The dispatcher can change host firewalls and cloud security-group rules, which directly affects network exposure and can open administrative or database ports to unintended sources. In a skill presented mainly for database installation and health reporting, this broader capability increases the risk of misuse, accidental overexposure, or prompt-induced network weakening, especially because permissive defaults like source_cidr='10.0.0.0/8' are embedded in code.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Configuring WinRM changes remote-management posture and can enable or widen remote administrative access on Windows systems. This is dangerous because exposing or reconfiguring WinRM is materially broader than routine database maintenance, and if triggered with unsafe settings or weak surrounding controls it can create a path for lateral movement or remote compromise.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This executor exposes a general-purpose local command execution primitive on the host, which is broader than the stated purpose of managing cloud servers. That capability creates a dangerous trust boundary bypass: any higher-level workflow that can influence the command string can cause arbitrary host-side actions unrelated to intended remote administration.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The docstring claims the local executor is only for testing and debugging, but the implementation does not enforce that restriction anywhere. This mismatch can mislead reviewers and operators into underestimating the risk, while production code still exposes arbitrary local execution capability.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The guide states a default listening port of 9182, but the Prometheus example targets port 9100. This inconsistency can cause monitoring to silently fail or scrape the wrong service, reducing visibility into server health in an automation/operations skill where users may rely on the documentation verbatim.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The adapter includes functionality to authorize new security group ingress rules, which expands its capability beyond passive inventory, health checks, and database setup into network perimeter modification. In a multi-cloud operations skill, this can expose services to unintended networks and materially change attack surface, especially because the method accepts arbitrary CIDRs, ports, and protocols without policy enforcement.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Granting the skill the ability to modify security groups is a privileged network-control capability that is not clearly necessary for the stated purpose of database installation, schema creation, monitoring, and health reporting. Even if intended for convenience, unjustified privilege increases the blast radius of misuse or prompt/logic abuse and can be used to open remote access paths to cloud hosts.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The comment and method name assert that only internal CIDRs are allowed, but the implementation only blocks the exact value 0.0.0.0/0. An attacker or careless operator could open database-related ports to arbitrary public ranges such as a single external IP or a broad public CIDR, defeating the documented security boundary in a cloud operations skill that manages security groups.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This adapter can modify Huawei cloud security-group rules by opening ports, which directly changes network exposure of cloud instances. In the stated context of database installation, monitoring, and health reporting, this capability is more dangerous because it can silently widen attack surface without clear user expectation or demonstrated guardrails in this file.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README explicitly instructs users to paste cloud AccessKey/Secret values into a chat interface, which creates a high risk of secret exposure through chat logs, agent memory, telemetry, screenshots, audit trails, or upstream service retention. This skill is especially sensitive because the supplied credentials are for multi-cloud infrastructure management, so compromise could enable broad control over servers, databases, and operational environments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs users to paste cloud AccessKey/Secret material directly into chat and states that the platform will write those credentials into a local .env file, without a strong warning about secret handling, retention, log exposure, or safer alternatives. If chat transcripts, agent logs, debugging output, or local files are exposed, an attacker could obtain cloud credentials and fully compromise associated infrastructure.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The file explicitly states that the orchestration system can trigger a full workflow by task name alone, and several tasks perform sensitive administrative actions such as database installation, firewall changes, user creation, and backups. Broad or ambiguous invocation semantics increase the chance of unintended or over-broad activation, especially in an agentic environment where natural-language matching may map a vague request to a destructive or privileged task.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script writes a full MySQL dump to a user-supplied destination without enforcing restrictive permissions, checking whether the destination is secure, or warning that the output contains sensitive database contents. In an ops automation context, this increases the chance that backups are stored in world-readable locations, weakly protected shared paths, or accidentally retained, exposing credentials, personal data, or application secrets.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script accepts a MySQL password as a positional argument and passes it to mysql as -pPASSWORD, which can expose the credential through process listings, shell history, audit logs, or orchestration/job metadata. In an automation/operations skill managing cloud servers, this is more dangerous because credentials are likely privileged and may be handled by multiple operators or automation systems.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script constructs redis-cli arguments with `-a $REDIS_PASSWORD`, which exposes the Redis password in the process command line. On many systems, command-line arguments can be read by other local users via process listings or audit logs, so credentials may be disclosed during routine health checks. In an operations skill that manages cloud servers, this is more concerning because it is likely to run in shared admin environments, automation runners, or logged orchestration contexts.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The WinRM session is created with `server_cert_validation="ignore"`, which disables TLS certificate verification and makes the client trust any certificate presented by the remote endpoint. This enables man-in-the-middle attacks, credential interception, and command/file tampering when connecting to Windows servers over untrusted networks, which is especially dangerous in a cloud O&M context.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The document instructs users to execute a shell script directly without warning that it will modify the system. In an infrastructure-management skill, this increases the risk of unintended privileged changes, especially if operators run the command without reviewing the script contents or understanding its effects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script prints the MySQL root password to stdout at the end of execution. In automation contexts, stdout is commonly captured by CI/CD logs, remote orchestration systems, shell history wrappers, or monitoring tools, which can expose privileged database credentials to unintended viewers.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script downloads an executable archive from the network and installs it as root without any integrity verification such as a checksum or signature check. If the download source, release artifact, DNS, or TLS trust chain is compromised, an attacker could cause arbitrary code execution with elevated privileges.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script prints the Redis password in cleartext to standard output after installation. In automation and operations environments, stdout is commonly captured by CI logs, terminal history, remote orchestration consoles, or centralized log systems, which can expose credentials to unintended viewers.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code directly authorizes a security group rule with no user-facing warning, no confirmation step, and no safeguard against dangerous inputs such as broad CIDRs or sensitive ports. Silent network exposure changes are risky in an automation context because a mistaken call or abused workflow can open services externally without operator awareness.

Ssd 3

High

Confidence: 99% confidence
Finding: The documented setup flow tells users to transmit cloud credentials in conversational text and states the agent will write them into a local .env file, normalizing insecure secret handling. Even if storage is local, the transmission path through the chat system may expose secrets to logging, model providers, plugins, or operators, and these credentials can grant powerful access to cloud compute resources.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.