Lemonade Server Manager

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for managing Lemonade servers, with disclosed network/API-key use and no hidden execution or unrelated access.

Install only if you intend to let an agent manage a Lemonade server. Use trusted server URLs, prefer HTTPS or a private network for remote hosts, protect and rotate LEMONADE_API_KEY if exposed, and confirm before downloading, loading, or unloading large models.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to configure an API key and interact with local or remote Lemonade servers, but it does not clearly warn that requests may transmit credentials, model-management commands, and sensitive system or hardware metadata over the network. In a skill specifically designed for remote orchestration, omission of a user-facing data-handling warning can lead to unsafe deployment against untrusted hosts, accidental credential exposure, or disclosure of internal infrastructure details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal