ClawHub

Vultr

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Vultr management skill, but it exposes broad cloud and account-changing powers without enough scoping or safety guardrails.

Install only if you intentionally want an agent to administer a Vultr account. Use a narrowly scoped API key where possible, protect the key file, avoid production-wide credentials, and require your own explicit review before any delete, reinstall, user-management, DNS, firewall, storage, Kubernetes, database, billing, ticket, or key-regeneration action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented scope understates the operational breadth of the skill, while the detected behavior includes additional high-sensitivity functions such as user management, support tickets, startup scripts, backups, and ISO management. This mismatch can cause operators or orchestrators to invoke the skill under incomplete assumptions, increasing the risk of unintended access to account-level data or execution of higher-impact actions.

Description-Behavior Mismatch

Medium
Confidence
72% confidence
Finding
User-management operations are materially more sensitive than ordinary infrastructure listing or lifecycle actions because they can create, modify, or delete account users and therefore change who has access to the cloud account. When these capabilities are absent from the manifest's stated scope, users and reviewers may underestimate the privilege level of the skill and approve it for broader use than intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes capabilities beyond the skill manifest, including support tickets, users, startup scripts, ISO handling, and VPC 2.0. In an agent setting, this expands the effective permission surface beyond what operators may expect, increasing the chance of unauthorized or unsafe actions through capability mismatch.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
User management is materially broader and more sensitive than ordinary infrastructure lifecycle operations because it can create, modify, or delete identities and potentially enable API access. If an agent can perform these actions without explicit scoping, it may escalate privileges, create backdoor accounts, or disrupt account access.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Support ticket creation and closure are not core to the stated infrastructure-management purpose and allow external communication with the cloud provider. While lower impact than identity or credential issues, they can still leak sensitive operational details or create unwanted provider-side actions and audit noise.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation text is broad enough to match generic cloud-management requests, which may cause the skill to activate in ambiguous situations. In a cloud infrastructure context, overbroad routing is risky because the skill supports state-changing operations across production resources and billing-adjacent data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Repeating an overly broad activation condition reinforces unsafe auto-selection behavior and makes accidental invocation more likely. Because this skill can create, modify, and delete infrastructure, ambiguous triggering materially raises the chance of unintended destructive or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises destructive actions such as stopping, rebooting, deleting instances, and creating infrastructure changes without any warning about operational impact or confirmation requirements. In a cloud management skill, this is dangerous because an agent or user could perform irreversible or production-impacting actions without pause, causing downtime, data loss, or cost exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions cover persistent API key storage and later retrieval of sensitive configuration such as kubeconfig, but provide no warnings about credential sensitivity, rotation, local compromise risk, or avoiding accidental disclosure. In this context, the skill operates with cloud-account authority, so weak guidance around secret handling can lead to account takeover or exposure of cluster/admin access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference documents use of an API key in the Authorization header and describes numerous destructive actions such as delete, reinstall, restore, key regeneration, and detach operations, but provides no safety guidance on credential handling, destructive-effect confirmation, or service-impact warnings. In a cloud-administration skill, this omission increases the chance of accidental destructive actions and mishandling of highly privileged credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script directly performs destructive operations such as delete and other state-changing actions without confirmation, dry-run support, or guardrails. In an agent workflow, misinterpretation, prompt injection, or simple user error could immediately destroy cloud resources or cause outages.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal