ClawHub

Veeam MCP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Veeam monitoring skill, but it asks users to trust an external beta Docker MCP server with long-lived administrator credentials for backup infrastructure.

Install only if you can verify the Veeam MCP server package and Docker image came from a trusted Veeam source. Use a dedicated least-privilege account instead of shared administrator credentials, protect and rotate the credential file, prefer trusted TLS certificates over self-signed acceptance, and avoid the interactive MCP script until you have reviewed the server's available tools and permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly facilitates network access to Veeam servers and an MCP server, yet no explicit permissions declaration is documented. This can mislead users and tooling about the skill's effective capabilities, reducing review visibility for networked data access to backup infrastructure.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The troubleshooting example embeds the admin password directly in a shell command via an environment variable. On many systems this can be exposed through shell history, process listings, terminal logging, screenshots, or copied transcripts, directly contradicting the security note.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes natural-language querying of live backup and infrastructure systems via Veeam Intelligence, but it does not clearly warn users that prompts and returned context may contain sensitive operational data and may be transmitted to an external analysis service. In a backup-monitoring context, this can expose hostnames, job history, alert contents, capacity data, and potentially other environment metadata to a third-party AI service without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quick-start instructs users to place Veeam usernames and passwords in a plaintext JSON file under their home directory, with no explicit warning about the sensitivity of those credentials or safer alternatives. Although `chmod 600` reduces exposure to other local users, the secrets still remain readable to the account owner, shell tooling, backups, malware, and any process running as that user, which is significant because these credentials may grant access to backup infrastructure and monitoring systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes natural-language queries and AI-backed processing but does not clearly warn that user prompts, backup metadata, infrastructure details, and possibly alert/job information may be transmitted to Veeam Intelligence for processing. In a backup-monitoring context, that data can contain sensitive operational and asset information, so omission of a privacy notice meaningfully increases risk.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script reads plaintext credentials from a local file and injects them into a docker run command as environment variables without a meaningful warning or stronger secret-handling controls. Environment variables can be exposed through process inspection, container introspection, logs, crash reports, or debugging workflows, so this increases the chance of credential leakage even if the script's purpose is legitimate.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads credentials from a local JSON file and passes them into `docker run` as environment variables. Credentials in container environment variables can be exposed through process inspection, Docker metadata, debugging output, container crash diagnostics, or other users with sufficient host access, so this is a real secret-handling weakness even if used only for testing.

Session Persistence

Medium
Category
Rogue Agent
Content
## Configuration

### Create Credentials File

Create `~/.veeam-mcp-creds.json`:
Confidence
89% confidence
Finding
Create Credentials File Create `~/.veeam-mcp-creds.json`: ```json { "vbr": { "url": "https://veeam-server.yourdomain.com:443/", "username": ".\\administrator", "password": "your_secure

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal