Back to skill

Security audit

Emergency Rescue Kit

Security checks across malware telemetry and agentic risk

Overview

This is a transparent emergency recovery checklist with powerful commands that users must review before running.

Install only if you want a developer emergency runbook. Before running any command, confirm the exact repo, branch, host, database, account, and production impact; make backups or snapshots where feasible; coordinate with collaborators; and require explicit human approval for force pushes, hard resets, recursive deletes, log truncation, Docker prune, credential revocation, firewall changes, sudoers edits, and service restarts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (35)

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 3. Log rotation (immediate)
# Truncate (not delete) large log files to free space instantly
sudo truncate -s 0 /var/log/syslog
sudo truncate -s 0 /var/log/journal/*/*.journal  # systemd journals
find /var/log -name "*.log" -size +100M -exec truncate -s 0 {} \;
# Truncate preserves the file handle so services don't break
Confidence
92% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 3. Log rotation (immediate)
# Truncate (not delete) large log files to free space instantly
sudo truncate -s 0 /var/log/syslog
sudo truncate -s 0 /var/log/journal/*/*.journal  # systemd journals
find /var/log -name "*.log" -size +100M -exec truncate -s 0 {} \;
# Truncate preserves the file handle so services don't break
Confidence
94% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
kill $(ps aux --sort=-%mem | awk 'NR==2{print $2}')

# 2. Drop filesystem caches (safe, no data loss)
sync && echo 3 | sudo tee /proc/sys/vm/drop_caches

# 3. Disable swap thrashing (if swap is full)
sudo swapoff -a && sudo swapon -a
Confidence
83% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sync && echo 3 | sudo tee /proc/sys/vm/drop_caches

# 3. Disable swap thrashing (if swap is full)
sudo swapoff -a && sudo swapon -a

# PREVENT: Set memory limits
# Docker:
Confidence
84% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sync && echo 3 | sudo tee /proc/sys/vm/drop_caches

# 3. Disable swap thrashing (if swap is full)
sudo swapoff -a && sudo swapon -a

# PREVENT: Set memory limits
# Docker:
Confidence
84% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# FIX (manual certificate):
# 1. Get new certificate from your CA
# 2. Replace files:
sudo cp new-cert.pem /etc/ssl/certs/mysite.pem
sudo cp new-key.pem /etc/ssl/private/mysite.key
# 3. Reload web server
sudo nginx -t && sudo systemctl reload nginx
Confidence
89% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 1. Get new certificate from your CA
# 2. Replace files:
sudo cp new-cert.pem /etc/ssl/certs/mysite.pem
sudo cp new-key.pem /etc/ssl/private/mysite.key
# 3. Reload web server
sudo nginx -t && sudo systemctl reload nginx
Confidence
89% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo cp new-cert.pem /etc/ssl/certs/mysite.pem
sudo cp new-key.pem /etc/ssl/private/mysite.key
# 3. Reload web server
sudo nginx -t && sudo systemctl reload nginx

# FIX (AWS ACM):
# ACM auto-renews if DNS validation is configured.
Confidence
76% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo cp new-cert.pem /etc/ssl/certs/mysite.pem
sudo cp new-key.pem /etc/ssl/private/mysite.key
# 3. Reload web server
sudo nginx -t && sudo systemctl reload nginx

# FIX (AWS ACM):
# ACM auto-renews if DNS validation is configured.
Confidence
76% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 3. Firewall blocking port 22
# Cloud console:
sudo ufw allow 22/tcp       # Ubuntu
sudo firewall-cmd --add-service=ssh --permanent && sudo firewall-cmd --reload  # CentOS

# 4. Changed SSH port and forgot
Confidence
71% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 3. Firewall blocking port 22
# Cloud console:
sudo ufw allow 22/tcp       # Ubuntu
sudo firewall-cmd --add-service=ssh --permanent && sudo firewall-cmd --reload  # CentOS

# 4. Changed SSH port and forgot
# Try common alternate ports:
Confidence
73% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 3. Firewall blocking port 22
# Cloud console:
sudo ufw allow 22/tcp       # Ubuntu
sudo firewall-cmd --add-service=ssh --permanent && sudo firewall-cmd --reload  # CentOS

# 4. Changed SSH port and forgot
# Try common alternate ports:
Confidence
73% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
usermod -aG sudo <username>    # Debian/Ubuntu
usermod -aG wheel <username>   # CentOS/RHEL
# Or edit directly:
visudo
# Add: username ALL=(ALL:ALL) ALL

# 4. Reboot normally
Confidence
74% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
#   nslookup fails

# FIX: DNS broken
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
# Or: sudo systemd-resolve --flush-caches

# FIX: Interface down
Confidence
86% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# FIX: Interface down
sudo ip link set eth0 up
sudo dhclient eth0        # Request new DHCP lease

# FIX: Restart networking entirely
sudo systemctl restart NetworkManager    # Desktop Linux
Confidence
72% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo dhclient eth0        # Request new DHCP lease

# FIX: Restart networking entirely
sudo systemctl restart NetworkManager    # Desktop Linux
sudo systemctl restart networking        # Server
sudo systemctl restart systemd-networkd  # Systemd-based
Confidence
72% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# FIX: Restart networking entirely
sudo systemctl restart NetworkManager    # Desktop Linux
sudo systemctl restart networking        # Server
sudo systemctl restart systemd-networkd  # Systemd-based

# Docker: Container can't reach the internet
Confidence
72% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# WORKAROUND: While waiting for propagation
# Add to /etc/hosts for immediate local effect:
echo "93.184.216.34 mysite.com" | sudo tee -a /etc/hosts
# Remove this after propagation completes!

# VERIFY:
Confidence
82% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
# STEP 4: Check what was exposed
# List every variable that was in the .env:
git show HEAD~1:.env 2>/dev/null || git log --all -p -- .env | head -50
# Rotate every single value.

# PREVENTION: Add a pre-commit hook
Confidence
78% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# STEP 4: Check what was exposed
# List every variable that was in the .env:
git show HEAD~1:.env 2>/dev/null || git log --all -p -- .env | head -50
# Rotate every single value.

# PREVENTION: Add a pre-commit hook
Confidence
78% confidence
Finding
.env

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Remove corrupt objects and fetch them again
git fsck --full 2>&1 | grep "corrupt\|missing" | awk '{print $NF}'
# For each corrupt object:
rm .git/objects/<first-2-chars>/<remaining-hash>
git fetch origin  # Re-download from remote

# VERIFY:
Confidence
80% confidence
Finding
rm .git/objects/<first-2-chars>/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Truncate preserves the file handle so services don't break

# 4. Old build artifacts
find . -name "node_modules" -type d -prune -exec rm -rf {} + 2>/dev/null
find . -name ".next" -type d -exec rm -rf {} + 2>/dev/null
find . -name "dist" -type d -exec rm -rf {} + 2>/dev/null
find /tmp -type f -mtime +7 -delete 2>/dev/null
Confidence
81% confidence
Finding
rm -rf {} + 2>/dev/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# 4. Old build artifacts
find . -name "node_modules" -type d -prune -exec rm -rf {} + 2>/dev/null
find . -name ".next" -type d -exec rm -rf {} + 2>/dev/null
find . -name "dist" -type d -exec rm -rf {} + 2>/dev/null
find /tmp -type f -mtime +7 -delete 2>/dev/null
Confidence
81% confidence
Finding
rm -rf {} + 2>/dev/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# 4. Old build artifacts
find . -name "node_modules" -type d -prune -exec rm -rf {} + 2>/dev/null
find . -name ".next" -type d -exec rm -rf {} + 2>/dev/null
find . -name "dist" -type d -exec rm -rf {} + 2>/dev/null
find /tmp -type f -mtime +7 -delete 2>/dev/null

# 5. Find the actual culprit
Confidence
81% confidence
Finding
rm -rf {} + 2>/dev/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
git gc --prune=now --aggressive

# STEP 5: Force push the cleaned history
git push origin --force --all
git push origin --force --tags

# STEP 6: Notify all collaborators to re-clone
Confidence
90% confidence
Finding
git push origin --force --all git push origin --force

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.