Back to skill

Security audit

Unraid

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Unraid monitoring skill, but it under-discloses sensitive local persistence and weakens HTTPS protection for API-key requests.

Install only if you are comfortable with an agent querying sensitive Unraid infrastructure data. Use a Viewer-role API key, avoid passing keys on the command line, review or remove the dashboard’s default debug JSON and memory-bank inventory writes, and change the curl behavior to verify TLS certificates unless you explicitly accept the self-signed-certificate risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs use of shell commands and local helper scripts, but it declares no permissions or trust boundaries. That creates an implicit capability gap: an agent may execute local shell-based tooling without users or policy layers understanding that code execution is involved, increasing the chance of unintended command execution or unsafe handling of credentials and outputs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The reported behavior goes beyond the stated monitoring purpose by reading local credential/config files and writing inventory and raw API-response artifacts to disk. This is dangerous because it expands the data-access and persistence surface without clear disclosure, potentially exposing secrets, infrastructure details, logs, shares, and other sensitive operational data to other local processes or future prompts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference guide materially expands the skill from monitoring/status checks into broader discovery of account, configuration, authentication, and API-key related data. Even if these are read-oriented queries, exposing and encouraging their use increases the chance the agent will enumerate sensitive administrative metadata beyond the manifest’s stated purpose and least-privilege expectations.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
Documenting GraphQL introspection teaches the agent or operator how to discover the full schema, including capabilities not intended for this monitoring skill. While introspection is not inherently harmful, in this context it enables capability expansion and easier access to undocumented or higher-risk queries.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The guide claims to cover only read-only queries, yet it includes examples like API key enumeration and other potentially privileged data access. This mismatch can mislead reviewers and users into underestimating the sensitivity of the documented operations and the permissions they may require.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script requests recent syslog content and then persists the full GraphQL response to a local debug file, which can include sensitive operational data, host details, and log entries unrelated to the user’s immediate monitoring request. This exceeds a minimal monitoring/dashboard function and creates unnecessary local retention of potentially sensitive information that could later be exposed to other local users, tooling, or logs.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is broad and includes open-ended phrases like 'And more Unraid-related monitoring tasks,' which can cause the skill to activate on loosely related requests. Over-broad activation increases the chance that sensitive infrastructure-monitoring workflows are invoked unintentionally, exposing server metadata, logs, or operational details when the user did not explicitly request this skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill prominently exposes access to logs and shares, both of which commonly contain sensitive information such as hostnames, file names, user activity, paths, configuration details, or tokens, yet it provides no warning or handling guidance. In a monitoring skill, this context makes the issue more serious because users may treat routine status checks as low risk while inadvertently retrieving or disclosing high-sensitivity operational data.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide provides direct API usage patterns and authentication header examples without any warning about secure key handling, least privilege, or the sensitivity of returned data. In an agent skill context, this normalizes broad access and can lead to accidental exposure of infrastructure metadata or misuse of long-lived API keys.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The log-reading examples encourage retrieval of raw system log content without warning that logs can contain credentials, tokens, internal IPs, usernames, authentication events, and other sensitive operational details. In this skill context, exposing arbitrary log access is more dangerous because it goes beyond simple status monitoring and can leak high-value information from a production server.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script saves the complete API response to `${NAME}_debug.json` without filtering, and that response includes recent syslog content plus detailed infrastructure metadata. Silent persistence of raw logs and system data creates a confidentiality risk and can expose secrets, tokens, hostnames, service details, or personal data present in logs.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# Make the request
RESPONSE=$(curl -skL -X POST "$URL" \
    -H "Content-Type: application/json" \
    -H "x-api-key: $API_KEY" \
    -d "{\"query\":\"$QUERY\"}")
Confidence
97% confidence
Finding
curl -skL -X POST "$URL" \ -H "Content-Type: application/json" \ -H "x-api-key: $API_KEY" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.