Back to skill

Security audit

INWX

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed INWX domain-management skill, but it can make real registrar, DNS, and DNSSEC changes when configured with write access.

Install only if you intend to let an agent access your INWX account. Start in OTE for testing, use readOnly=true for lookup-only use, and set allowedOperations to the exact tools needed. Treat domain deletion, transfers, renewals, DNS changes, DNSSEC disable, and contact updates as production-impacting actions that should require explicit human approval in your workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements an end-to-end workflow that goes beyond INWX registrar management and invokes ISPConfig provisioning for hosting, mail, and databases. That capability expansion is dangerous because a caller expecting only registrar actions may unintentionally trigger broader infrastructure changes across a second system, increasing blast radius and violating least-privilege expectations.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documented workflow explicitly includes hosting provisioning via `isp_provision_site`, plus optional mail and database creation, despite the skill being described as domain registrar management. Hidden cross-system capabilities create a confused-deputy risk: consumers may grant trust or credentials appropriate for registrar operations while the code can also create service resources in another administrative plane.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation instructs users to provide highly sensitive registrar credentials and an OTP shared secret, but it does not warn about secure storage, logging risks, or secret handling practices. Exposure of these values could allow full account takeover of the registrar context, including domain changes, DNS hijacking, transfers, and other high-impact actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented write tools can create, update, transfer, renew, or delete domains and DNS resources, which may be destructive, security-sensitive, or billable, yet the documentation does not clearly warn users about these effects. In registrar contexts, misuse or accidental invocation can result in domain loss, DNS hijacking, service outage, or unexpected charges, making omission of warnings materially risky.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest exposes a broad set of high-impact registrar functions, including domain registration, transfer, deletion, DNS changes, nameserver changes, and contact updates, but does not declare any trigger constraints, approval requirements, or narrow task scope. In the context of a domain registrar skill, this is dangerous because a compromised or overly-permissive agent invocation could directly alter ownership, availability, and DNS routing for real domains, enabling service disruption, hijacking, or persistence.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The manifest defaults the environment to 'production', which increases the chance that testing, mis-invocation, or prompt-induced actions will execute against live registrar resources instead of a safe test endpoint. Because this skill includes destructive and ownership-affecting operations, a production default materially raises the likelihood of accidental real-world DNS, registration, transfer, or deletion changes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow performs potentially irreversible or billable operations—domain registration, nameserver changes, and hosting provisioning—without any confirmation gate, dry-run mode, or policy check in this file. In agent contexts, that makes accidental execution more likely and can lead to unwanted purchases, service changes, outages, or creation of persistent infrastructure from a single invocation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The domain deletion tool directly exposes a destructive registrar operation without any visible confirmation, dry-run, or additional guard in this layer. In an agentic context, accidental invocation, prompt-manipulated tool use, or parameter confusion could cancel or delete a domain, causing service outage, email disruption, and possible loss of ownership depending on registrar behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Deleting DNS records is a destructive action that can immediately break routing for web, mail, verification, or other services, yet this wrapper adds no confirmation or protective validation. In a tool-using agent, a mistaken or manipulated call could silently remove critical records and create outages or enable follow-on attacks by disrupting security-related DNS entries.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Disabling DNSSEC weakens domain integrity protections and can expose users to spoofing or downgrade scenarios, but this tool invokes dnssec.delete with no visible warning, confirmation, or policy gate beyond generic tool allowance. In this registrar-management context, the absence of friction around security-control removal makes accidental or induced misuse more dangerous than in a read-only skill.

VirusTotal

No VirusTotal findings

View on VirusTotal