Security audit

AVE Cloud Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AVE crypto-data skill, but its pro mode can manage a persistent Docker container containing the user's API key without clear enough disclosure.

Install only if you are comfortable giving the skill an AVE Cloud API key and allowing Docker-based pro-mode operation. Review the Docker behavior before using pro streams, stop the ave-cloud-server container when finished, and prefer the non-pro REST paths if you do not want persistent containers or API keys placed into Docker environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _send_to_server(line): result = subprocess.run( ["docker", "exec", SERVER_CONTAINER, "sh", "-c", f"echo {shlex.quote(line)} > {SERVER_FIFO}"], capture_output=True, text=True,
Confidence: 96% confidence
Finding: result = subprocess.run( ["docker", "exec", SERVER_CONTAINER, "sh", "-c", f"echo {shlex.quote(line)} > {SERVER_FIFO}"], capture_output=True, text=True, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return subprocess.run(["docker", "rm", "-f", SERVER_CONTAINER], capture_output=True) key = get_api_key() result = subprocess.run([ "docker", "run", "-d", "--name", SERVER_CONTAINER, "-e", f"AVE_API_KEY={key}", "-e", "API_PLAN=pro",
Confidence: 86% confidence
Finding: result = subprocess.run([ "docker", "run", "-d", "--name", SERVER_CONTAINER, "-e", f"AVE_API_KEY={key}", "-e", "API_PLAN=pro", "-e", "AVE_USE_DOCKER=true",

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill instructs the agent to execute Python code, access environment variables containing API credentials, read local files, and make outbound network requests, but it does not declare corresponding permissions. This mismatch can bypass user/admin expectations and policy enforcement, increasing the risk of unintended shell execution, secret exposure, or uncontrolled external communication if the skill is invoked.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: Combining WebSocket client logic with Docker lifecycle management and subprocess execution increases the attack surface and trust complexity of the skill. A data-querying tool normally has a narrower risk profile; here, it can create, exec into, and remove containers, making misuse or future injection bugs materially more impactful.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger text is broad enough to match generic crypto or on-chain questions, which can cause the skill to activate in situations the user did not clearly request. Because this skill performs shell execution and outbound API calls using credentials, overbroad invocation expands the attack surface for prompt-triggered tool use and can lead to unnecessary secret-bearing network activity.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The container startup path propagates the API key into a containerized runtime without meaningful user-facing warning about credential exposure or local trust assumptions. In a skill context that may be triggered for ordinary token-data queries, this hidden operational side effect makes secret handling riskier because users may not expect container execution or credential placement.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.