Unraid

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Unraid monitoring skill, but it handles sensitive server data in under-disclosed ways and weakens HTTPS protection by default.

Review before installing. Use only a Viewer-role Unraid API key, avoid passing the key on the command line, and be aware the dashboard can persist inventory, container/share/VM details, and recent syslog content into local files and agent memory. Consider removing default debug JSON writes and changing curl usage to verify TLS certificates unless you explicitly accept the self-signed certificate risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill documentation invokes shell scripts but declares no permissions, creating a transparency and policy-enforcement gap. In an agent environment, undeclared shell capability can enable command execution paths that operators and users do not expect, increasing the risk of unintended local file access, network calls, or command abuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented as a GraphQL monitoring/query tool, but the documented behavior extends to reading a local credentials/config file, generating a multi-server inventory, and writing reports/debug artifacts to disk. This mismatch is dangerous because it broadens data access and persistence beyond the user's likely expectation, enabling sensitive infrastructure discovery and local data leakage.

Intent-Code Divergence

Medium

Confidence: 76% confidence
Finding: The documentation instructs users to use SSH and `docker logs`, which expands the operational scope from GraphQL monitoring into direct host access. Even though this line is only guidance, it normalizes a more privileged access path that can expose container output, secrets, and host-level data outside the advertised API-only boundary.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill advertises access to logs, shares, containers, VMs, and system status without warning that these outputs may contain sensitive infrastructure details such as hostnames, share names, software inventory, and log contents. In a monitoring context this can lead to over-disclosure to end users or downstream systems, especially when results are persisted or broadly displayed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This section documents reading raw log contents and related monitoring data without warning that logs can contain highly sensitive information such as usernames, IP addresses, authentication events, file paths, tokens, and operational details. In an agent skill context, this increases the risk of unnecessary collection, display, summarization, or onward disclosure of private security-relevant data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide documents queries for authenticated user identity, owner info, SSO status, OIDC providers, and API key metadata without clearly flagging these as access-management data. In a monitoring skill, exposing this information can aid reconnaissance, reveal authentication architecture, and disclose credential-management artifacts that should only be surfaced with strong user intent and authorization.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script intentionally queries `recentLog: logFile(path: "syslog", lines: 100)` and then writes the full raw JSON response to `${NAME}_debug.json`, which can include recent syslog content, host details, workload metadata, and other sensitive operational data. Because the debug file is written by default with no sanitization, opt-in, or access-control handling, it creates an unnecessary local data exposure risk if other local users, backup systems, or later automation can read those files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script allows the API key to be passed via the -k/--key command-line option and even documents that usage. Command-line arguments are commonly exposed through shell history, process listings (for example via ps), audit logs, and CI job logs, which can leak a long-lived credential to other local users or logging systems. In this monitoring skill context, the key likely grants access to Unraid system status and possibly other sensitive administrative data, making credential exposure meaningful.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal