Back to skill

Security audit

HC DWS CPU Diag Test2

Security checks across malware telemetry and agentic risk

Overview

The core DWS CPU diagnostic workflow is coherent, but the skill asks for under-scoped cloud CLI use and includes unrelated OBS credential setup that users should review before installing.

Review the install guides before using this skill. Prefer the MCP tools or a clearly permissioned hcloud workflow, use least-privilege temporary DWS credentials, avoid entering AK/SK on command lines, keep config files out of version control with restrictive file permissions, and do not configure OBS/obsutil unless you independently confirm it is needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill exceeds its stated diagnostic/tool-only scope by instructing the agent to write an HTML report into the workspace. Unnecessary file creation introduces side effects, can overwrite or clutter user files, and expands the agent's effective capabilities beyond the declared tool boundary.

Scope Creep

High
Confidence
95% confidence
Finding
The skill declares only MCP tools in allowed-tools, but the instructions direct execution of hcloud CLI commands outside that allowlist. This creates a permission-model mismatch that can let the skill invoke undeclared execution channels, undermining sandboxing and enabling broader host interaction than reviewers or policy expect.

Scope Creep

High
Confidence
97% confidence
Finding
The skill instructs saving an HTML file despite no declared file-write permission baseline. Hidden write behavior is dangerous because it bypasses user expectations and policy review, and in some runtimes could be leveraged to plant files, overwrite outputs, or create artifacts consumed by later workflows.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file header and stated purpose describe an OBS Object Storage Statistics installation guide, which does not match the declared DWS CPU diagnosis skill. This kind of scope mismatch is dangerous because it can cause operators or downstream agents to install and configure unrelated cloud tooling, expanding access and trust boundaries beyond what the skill needs.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide introduces OBS-specific tooling, credential setup, endpoint details, and bucket-listing verification commands even though the skill is supposed to diagnose DWS CPU issues. In this context, that is risky because it encourages unnecessary credential provisioning and use of storage-access utilities unrelated to the advertised function, increasing the chance of over-privileged access or misuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The obsutil configuration example places AK/SK directly on the command line, which can leak secrets through shell history, process listings, audit logs, or terminal recording. Unlike the hcloud section, this example does not include an adjacent warning, making unsafe secret handling more likely for users following the guide.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to place AK/SK secrets in plaintext in a YAML file and via CLI arguments before encryption occurs, but it does not clearly warn about the exposure risks during that window. This can lead to credential leakage through shell history, process listings, copied configs, screenshots, or accidental commits, especially because this skill is operational and encourages direct handling of production cloud credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reset command is described as a simple utility action, but it clears all parameters and removes crypt.json, making it destructive. Without a prominent warning or confirmation guidance, users or downstream agents may run it unintentionally, causing loss of configuration and interruption of authenticated access.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.