ClawHub

JumpServer Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real JumpServer reporting skill, but it needs review because it handles credentials and sensitive audit/admin data while auto-installing packages and disabling TLS verification by default.

Install only after review. Use a dedicated least-privilege JumpServer account, set JMS_VERIFY_TLS=true, prefer scoped AK/SK over username/password, install dependencies yourself in a controlled virtual environment, avoid endpoint-verify unless intentionally probing a known safe path, specify the target organization for reports, and protect or delete the generated .env and report files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"[jumpserver-skills] Missing Python dependencies detected: %s. Installing with %s\n"
        % (", ".join(missing_distributions), " ".join(install_command))
    )
    result = subprocess.run(install_command, capture_output=True, text=True, check=False)
    if result.returncode != 0:
        _print_json_error(
            "Automatic dependency installation failed.",
Confidence
94% confidence
Finding
result = subprocess.run(install_command, capture_output=True, text=True, check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to use shell commands, read local template/reference files, write configuration, and access JumpServer over the network, but it does not declare permissions accordingly. This creates a capability/permission mismatch that can bypass governance expectations, making a powerful operational skill appear less privileged than it really is.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The runtime documentation authorizes behavior beyond a query/analysis skill's stated scope by automatically installing dependencies and writing local configuration files. Even though this is framed as operational setup, it introduces host and environment modification capabilities that can change the user's system state and increase the blast radius if the skill or its dependencies are compromised.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The documented entrypoints expand the skill into settings, license, ticket, storage, and governance inspection functions that exceed the declared manifest scope. Scope drift is dangerous because users may invoke higher-sensitivity administrative surfaces under the assumption the skill is limited to reporting and analysis, increasing the chance of over-privileged access or unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file exposes capabilities well beyond the declared analytics/reporting scope, including system settings, ticketing, license details, automation inventory, and role-binding queries. That scope expansion increases the chance that a caller can access sensitive administrative metadata through a skill that may be selected for routine analytics tasks, violating least privilege and creating an authorization-bypass-by-design risk if upstream controls are weaker than expected.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Functions such as system_settings_overview, security_policy_check, auth_source_config_check, notification_config_check, and license_detail_query retrieve and return raw configuration and license payloads that may contain sensitive security posture, integration, or infrastructure details. In an analytics skill, exposing these raw objects materially broadens information disclosure risk and can aid follow-on attacks such as targeting auth providers, notification channels, storage backends, or known deployment characteristics.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This skill is described as a query and analysis tool, but it contains bootstrap logic that mutates the host by installing packages. That behavior exceeds the declared scope and can introduce unexpected code execution, supply-chain exposure, and operational side effects on systems where a read-only analytical skill is expected.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The subprocess-based bootstrap is not necessary for the analytical function advertised by the skill and introduces an unnecessary execution path to pip. In agent environments, hidden installation behavior is especially risky because it expands privileges and trust assumptions beyond data retrieval and reporting.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill advertises itself as a query/analysis tool, but it also exposes config-write functionality that can modify local environment configuration. This expands the trust boundary from read-only diagnostics to state-changing behavior, which can be abused to alter endpoints, auth settings, or organizational context and enable later misuse of authenticated operations.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The generic inspect dispatcher allows callers to invoke arbitrary capabilities rather than only the narrowly described query/report actions in the manifest. That creates a confused-deputy risk where future or hidden capabilities could be reached through this entrypoint without corresponding review of whether they match the advertised security scope.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The endpoint verification command accepts an arbitrary authenticated path and performs GET/OPTIONS requests against it. Even without write verbs, this can expose sensitive administrative data from unintended APIs, bypass intended feature scoping, and materially broaden the skill into a generic authenticated API browser.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The helper writes and updates JumpServer configuration, including credentials, into a local .env file and also mutates process environment state. For a skill described as query-and-analysis, persistent configuration mutation expands capability beyond read-only analysis and can create unintended secret storage on disk, especially if invoked by higher-level automation without clear operator awareness.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The organization-resolution flow can automatically persist JMS_ORG_ID when certain reserved organization sets are detected, changing future query scope without an explicit user action in that path. In a governance/audit skill, silently changing persisted scope can cause subsequent queries to run against a different tenant/org context than the user expects, leading to data exposure or misleading audit results.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly encourages users to provide JumpServer credentials through conversation and says the runtime will write them to a local `.env` file, but it does not prominently warn that this stores secrets on disk in plaintext. In an agent or shared workstation context, this increases the risk of credential exposure through filesystem access, backups, logs, repo mishandling, or accidental inclusion in artifacts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing text uses broad triggers like “分析”, “某天发生了什么”, and usage-overview phrasing that can overlap with ordinary user requests. An overly broad match surface can cause the skill to activate in unintended contexts, leading to unnecessary execution of sensitive CLI workflows against JumpServer data.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill’s trigger language is unusually broad and includes generic phrases like daily usage, what happened on a given day, usage overview, and audit analysis, without strong exclusion boundaries. This can cause the agent to invoke the JumpServer skill for loosely related analytical requests, leading to unintended access to sensitive operational or audit data and unnecessary execution of privileged diagnostic/query workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The playbook requires generating and saving an HTML report to a fixed on-disk path under `reports/`, but it does not require notifying the user that a persistent artifact containing potentially sensitive audit and usage data will be created. In a security/audit skill context, silent local persistence increases the risk of unintended data retention, later disclosure to other users or processes, and violation of data-handling expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The playbook directs the agent to run diagnostic and audit/query commands over JumpServer usage, login, session, command, and transfer data without requiring an explicit privacy or authorization check. Because these commands operate on sensitive audit/governance information, lack of a privacy warning and access-validation step can normalize broad inspection of user activity and increase the chance of unauthorized or overbroad data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document says dependencies may be auto-installed and local `.env` configuration may be written without clearly foregrounding that the user's environment and local files will be modified. In a security-sensitive ops context, silent or implicit state changes are risky because they can introduce unreviewed packages, persist secrets locally, and violate expectations of a read-only analysis skill.

Missing User Warnings

High
Confidence
97% confidence
Finding
Defaulting `JMS_VERIFY_TLS` to `false` weakens transport security by disabling certificate validation, enabling man-in-the-middle interception or spoofing of the JumpServer API endpoint. This is especially dangerous here because the workflow collects or uses highly sensitive credentials such as AK/SK or username/password, so disabled TLS validation can directly expose secrets and session data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This client allows TLS certificate verification to be turned off and also suppresses the resulting certificate warnings, which can hide insecure operation from users and developers. In a JumpServer API client that handles authentication tokens, usernames/passwords, and administrative audit data, this materially increases the risk of man-in-the-middle interception or tampering when deployed against untrusted networks or misconfigured endpoints.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code installs dependencies automatically after only writing a message to stderr, without any explicit confirmation or policy gate. This can cause silent environment changes, unintended outbound network access, and execution of newly downloaded package code in contexts where operators expect analysis-only behavior.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
Recent audit retrieval returns login, session, command, and operation records, including raw records and command content, which may contain highly sensitive operational data. In a skill meant for analysis this may be expected, but exposing such material without any explicit consent, minimization, or warning increases the chance of over-disclosure to users who did not intend to retrieve secrets or regulated audit content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This command performs arbitrary authenticated API reads with no user-facing warning or confirmation, so a user can unknowingly trigger broad data exposure from endpoints outside the stated diagnostic scope. Because it reuses the current authenticated client, the impact is bounded by the caller's privileges but can still include sensitive org, account, permission, or audit data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code path writes JMS_ACCESS_KEY_SECRET and JMS_PASSWORD to a local .env file without any user-facing warning in the function itself. Although the file is chmod'ed to 0600 on a best-effort basis, secrets are still persisted in plaintext on disk, increasing risk of accidental disclosure through backups, workspace sharing, repository mistakes, or other local compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal