Back to skill

Security audit

Ops Maintenance

Security checks across malware telemetry and agentic risk

Overview

This is a powerful operations skill with disclosed remote administration features, but it needs careful review because it can use SSH credentials, run commands, transfer files, persist operational data, and has unsafe shell-command construction in several paths.

Install only in an environment where you intentionally want an agent to inspect local and remote systems. Use dedicated low-privilege SSH keys, avoid default private-key fallback, restrict configured hosts and tags, review webhook destinations, and treat SFTP and cluster exec as production-impacting actions. Do not use this on sensitive fleets without adding confirmation gates, path/host allowlists, and safer non-shell command execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (50)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The manifest declares only tools but no explicit permissions model despite the skill clearly exercising shell, network, environment, remote access, and persistent storage capabilities. This creates a governance gap: users and policy engines cannot accurately reason about what the skill may access or transmit, increasing the chance of overbroad execution and unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared description frames the skill as monitoring/audit, but the documented behavior goes beyond that into remote command execution, batch operations, file transfer, server inventory management, and external communications. This mismatch is dangerous because users may invoke it under the assumption of passive observation while granting access to active remote operations that can expose or alter sensitive systems and data.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The report documents SFTP upload/download and related remote-access capabilities that go beyond a monitoring/auditing-focused skill description. Scope expansion is dangerous because users may grant trust, network access, or credentials based on a narrower stated purpose, enabling unexpected modification or movement of remote data.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Documented cluster-wide arbitrary command execution on production-tagged servers materially exceeds a maintenance/inspection-only scope and can directly change or disrupt many systems at once. In this context, broad execution is especially risky because the skill is positioned as an ops helper, making high-impact actions appear routine and trustworthy.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Automatic use of default SSH keys introduces credential-access behavior that may silently consume highly privileged local credentials without explicit user intent. This increases the chance of unintended lateral movement or remote access, especially when the skill already supports multi-host operations.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The quickstart documents remote file upload and download capabilities that materially exceed the declared monitoring/auditing scope of the skill. In an agent skill, undocumented write-capable remote actions increase the risk of unexpected system modification, data exfiltration, or misuse by users who believe the tool is read-only or primarily observational.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
Bulk remote command execution across servers is a powerful administrative capability that goes beyond the stated maintenance/monitoring description and can directly affect many systems at once. In a clustered environment, this mismatch is especially dangerous because users may grant trust based on the documented scope and unintentionally enable mass-impact actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README documents SFTP upload/download and remote directory operations, which materially expand the skill from monitoring/audit into active remote administration. When a skill advertises broader capabilities than its stated manifest scope, users and downstream reviewers may grant trust or permissions under false assumptions, increasing the chance of unintended remote system modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The cluster-management examples include adding servers and executing commands across multiple hosts, which goes well beyond passive monitoring described in the metadata. In an agent skill, undocumented multi-host command execution is especially risky because it can enable fleet-wide changes or damage while appearing to be a read-only maintenance tool.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented cluster exec feature allows execution of operator-supplied commands across groups of servers, which is materially broader than health monitoring or audit. Even if intended for administration, this concentrates blast radius and can be abused to run sensitive discovery or destructive commands on many hosts at once if input validation or policy enforcement is weak.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The security notes claim only safe whitelisted read-only commands are allowed, but the interface advertises a generic exec capability that appears unrestricted from the user's perspective. This inconsistency undermines trust boundaries and can conceal broader execution than the user expects, especially in a remote multi-host context.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill supports bulk command execution across all configured servers, which materially expands it from monitoring into operational control. Even with a command validator, this increases misuse potential and makes the skill capable of performing actions inconsistent with a monitoring/audit-only assistant.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code claims it does not use a shell, but it calls child_process.exec, which does use shell semantics. This is dangerous because many callers build commands with interpolated user input, so metacharacters, pipes, redirects, and command chaining can lead to command injection or bypass of the intended safety model.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
SFTP upload, download, and directory listing add write and bulk data access capabilities beyond the stated monitoring/audit role. In practice, this can be used to alter remote systems or exfiltrate files through an assistant interface that users may not expect to have such powers.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
runRemoteCommand exposes generic SSH command execution against arbitrary configured hosts. In the context of a monitoring/audit assistant, this is overly powerful and can be abused to run destructive or unauthorized administrative actions if validation is bypassed, incomplete, or later weakened.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Remote upload and download allow direct modification of remote systems and copying of potentially sensitive files. For a monitoring-focused skill, this is context-inappropriate and substantially raises the risk of tampering, unauthorized deployment, or exfiltration.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The implementation comment says the command is executed without a shell, but exec actually invokes a shell. This mismatch can cause maintainers to assume shell metacharacters are harmless and unintentionally introduce exploitable command injection paths elsewhere in the file.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The whitelist explicitly permits the `env` command, which exposes the full process environment to whoever can invoke validated commands. In an ops assistant context, environment variables commonly contain API keys, cloud credentials, database passwords, tokens, and internal endpoints, so this creates a direct sensitive-information disclosure path that is broader than necessary for routine monitoring.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The tracker serializes and stores the full content of monitored configuration files in snapshot JSON files, not just hashes or minimal metadata. Because the default monitored set includes sensitive system files such as sshd_config, resolv.conf, hosts, and cron-related configuration, this turns an integrity-monitoring feature into a local archive of potentially sensitive operational data that can be exposed to other local users, backup systems, or later compromise.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code intends to ensure a configuration directory exists, but instead calls writeFile() on the directory path, which creates a regular file rather than a directory. This can break key storage, prevent secure file creation, and in some environments may cause secrets to be written to unexpected locations or leave the application in a fail-open/error state that undermines credential protection for this ops tool.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The code masks environment variable values but still discloses all variable names from container configuration. Environment variable names often reveal secrets technology and internal architecture, such as `AWS_ACCESS_KEY_ID`, `DB_PASSWORD`, or vendor-specific token usage, which can materially aid reconnaissance and credential targeting.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`searchLogs()` builds a shell command with caller-controlled `pattern`, `logPath`, and `lines` and passes it to `exec`, which invokes a shell. An attacker can inject shell metacharacters via the quoted fields or numeric segment and gain arbitrary command execution under the skill's privileges, which is far more capability than simple log filtering requires.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`searchJournalctl()` constructs a `journalctl | grep | tail` shell pipeline from unsanitized `unit`, `pattern`, `since`, and `lines` inputs. Because it uses `exec`, crafted input can break out of the intended command and execute arbitrary shell commands while also reading sensitive system logs.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`analyze()` dynamically assembles shell commands from supplied `logPaths`, `pattern`, and `hours` and executes them with `exec`. This exposes command injection and unauthorized file/system log access in a utility likely to be called with external input, making the skill materially dangerous in an ops context with access to production logs and hosts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The implementation enforces an explicit username but still silently falls back to loading the operator's default private key from ~/.ssh/id_rsa when no credentials are supplied. That behavior contradicts the stated security posture and can cause unintended use of sensitive local credentials to authenticate to remote systems.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test/security.test.ts:23

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
src/utils/ssl-monitor.ts:184