Back to skill

Security audit

Google Cloud Platform

Security checks across malware telemetry and agentic risk

Overview

This is a visible Google Cloud command-reference skill, but it can guide powerful cloud actions that require careful approval.

Install only if you want an agent to help operate Google Cloud through your local CLI. Use a least-privileged account, verify the active account and project before commands run, and require explicit confirmation for public access, secret reads, deletes, rollbacks, billing changes, database restores, and production deployments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest understates the skill’s effective capabilities while the body includes higher-risk operations such as Secret Manager access, billing budget management, IAM policy inspection, Artifact Registry, and Cloud SQL administration. This scope mismatch can mislead users or downstream policy systems into granting trust or use beyond what was disclosed, increasing the chance of unauthorized or risky actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section adds direct secret creation, retrieval, version management, and destruction to a skill whose stated purpose does not disclose secret-handling powers. Secret-access commands can expose plaintext credentials, and destroy/disable operations can break production systems or enable sabotage if invoked carelessly or by a misled agent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Billing-account and budget management expands the skill into financial governance, which is outside the stated scope and can materially affect cost controls and account configuration. Hidden cost-management capabilities are dangerous because users may not expect the skill to change billing posture or expose billing-account metadata.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Cloud SQL administration introduces database creation, user management, connectivity, backup, and restore actions that exceed the declared skill purpose. In context, these operations can expose databases, alter authentication, or cause operational disruption if an agent uses them under the assumption the skill is limited to simpler infrastructure tasks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented Cloud Run deploy example includes --allow-unauthenticated, which makes the service publicly reachable, but provides no warning about exposure, abuse risk, or when public access is appropriate. In an agent skill, omission of this context increases the chance of unintentionally publishing internal services or endpoints to the internet.

Missing User Warnings

High
Confidence
98% confidence
Finding
The gsutil iam ch allUsers:objectViewer command makes bucket objects publicly readable, yet the skill presents it without a prominent warning about data exposure. This is high risk because a user or agent could unintentionally publish sensitive files, backups, or private application assets to the internet.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The secret access examples return secret values directly, but the skill does not warn that plaintext secrets may be displayed in terminal history, logs, transcripts, or chat output. In an agent context this is especially dangerous because retrieved secrets can be inadvertently echoed back to users or persisted in tooling output.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The secret version destroy command is irreversible, but the documentation only includes a brief inline note rather than a clear destructive-action warning and confirmation guidance. This can lead to accidental permanent loss of credentials or service outages if applications still depend on the destroyed version.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.