Back to skill

Security audit

Tailscale

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Tailscale administration skill, but it can make powerful network changes and should only be used when that is intended.

Install this only if you want the agent to help administer your Tailscale tailnet. Use a least-privilege API key where possible, protect the config file, do not commit credentials, and require explicit review before running Funnel, deleting devices or keys, creating reusable auth keys, changing tags, toggling MagicDNS, or exposing ACL data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly invokes shell commands (`tailscale`, `jq`, and local scripts) but does not declare corresponding permissions. Hidden or undeclared execution capability reduces transparency and can lead users or orchestrators to authorize a skill without understanding that it can run commands affecting local network state and tailnet configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill primarily as status/listing/ping/file-transfer/funnel/auth-key management, but the documented behavior also includes destructive and administrative actions such as device deletion, authorization, tag changes, MagicDNS toggling, and ACL/DNS inspection. This mismatch can cause an agent or user to invoke the skill under a less risky mental model than its actual privileges and effects.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes administrative capabilities well beyond the manifest’s described status/listing and basic network operations, including device authorization/deletion, DNS changes, ACL access, and auth-key lifecycle management. In an agent setting, this kind of scope expansion is dangerous because a user or prompt injection targeting this skill could trigger powerful side-effecting actions that operators would not reasonably expect from the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
ACL inspection and validation provide access to sensitive tailnet policy data and administrative workflows that are not justified by the stated skill purpose. Even read/validate access can leak internal network policy structure or be abused by an agent to operate outside expected bounds.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The ability to toggle MagicDNS modifies tailnet-wide DNS behavior, which is a privileged configuration change not supported by the manifest’s stated use cases. In an agent context, hidden configuration mutation is especially risky because it can disrupt name resolution, alter network behavior, and exceed user expectations of a status-oriented tool.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises high-impact actions such as publicly exposing services with Funnel and authorizing or deleting devices, but it does not warn users about the security and availability consequences of those operations. In an agent skill context, this increases the chance that a user or downstream automation invokes dangerous actions without informed consent or confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples include `tailscale funnel 8080`, which exposes a local service to the public internet, but the documentation provides no warning about exposure scope, authentication expectations, or the risk of publishing unintended services. Because examples are often copied verbatim, this can directly lead to accidental internet exposure.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README instructs users to create and store a Tailscale API key in a local config file and environment variables, but it does not warn that the key is sensitive, should not be committed, and should be protected with least privilege and rotation. This omission can result in credential leakage through shell history, source control, or weak file permissions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`tailscale funnel` exposes a local service publicly to the internet, which is materially different from private tailnet sharing. Documenting this without an explicit warning increases the chance of accidental external exposure of development tools, internal apps, or sensitive data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented delete operation is destructive and can remove devices from the tailnet, potentially disrupting access, routing, or service availability. Without an explicit warning or confirmation requirement, an agent could carry out irreversible or hard-to-recover administrative actions too casually.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Auth keys are sensitive credentials that can grant device enrollment or persistent access, especially when reusable. Presenting key creation without warning about secrecy, scope, reuse, tagging, and expiry risks can lead to credential leakage or overbroad access to the tailnet.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The device deletion command performs an irreversible destructive action immediately, with no warning, confirmation, or safety interlock. In an automated agent workflow, this increases the chance that ambiguous user input, prompt injection, or parameter confusion could remove devices from the tailnet and cause service disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The auth key deletion command removes credentials without any user-facing confirmation or friction. Because auth keys control future device enrollment, accidental or induced deletion can break automation, onboarding, or incident response workflows and is especially risky in an agent-operated environment.

Session Persistence

Medium
Category
Rogue Agent
Content
**API (tailnet-wide):**
- **Devices** — list all devices, authorize/delete, set tags
- **Auth keys** — create reusable/ephemeral keys for new devices
- **DNS** — manage nameservers, toggle MagicDNS
- **ACLs** — view and validate access control policies
Confidence
78% confidence
Finding
create reusable/ephemeral keys for new devices - **DNS** — manage nameservers, toggle MagicDNS - **ACLs** — view and validate access control policies ## Setup ### CLI Only (No Config Needed) The `t

Tool Parameter Abuse

High
Category
Tool Misuse
Content
cmd_delete() {
    local id
    id=$(resolve_device "$1")
    api DELETE "/device/${id}"
    echo '{"status": "ok", "device": "'"$id"'", "deleted": true}'
}
Confidence
89% confidence
Finding
DELETE "/device/${id}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
cmd_delete_key() {
    local id="$1"
    api DELETE "/tailnet/${TS_TAILNET}/keys/${id}"
    echo '{"status": "ok", "key": "'"$id"'", "deleted": true}'
}
Confidence
88% confidence
Finding
DELETE "/tailnet/${TS_TAILNET}/keys/${id}

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.