Back to skill

Security audit

Vagrant Skill

Security checks across malware telemetry and agentic risk

Overview

This VM sandbox skill mostly does what it claims, but it needs review because its default template forwards the user's SSH agent into a VM meant for risky experimentation.

Review the generated Vagrantfile before use and disable SSH agent forwarding unless you explicitly need it. Treat anything copied or forwarded into the VM, including credentials and project files, as accessible to code running there. Approve repository file changes and copy out needed VM-local work before running `vagrant destroy -f`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad (`set up a dev environment`, `I need Docker`, `clean environment`, `network testing`) and overlap with many ordinary requests. That increases the chance the skill is invoked in situations where a less-privileged local workflow would suffice, expanding exposure to VM creation, package installation, and command execution unnecessarily.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly proposes injecting JWT-SVIDs and retrieving job secrets inside guest workloads, then running agent code with those secrets in environment. In a skill whose purpose is to run untrusted or experimental workloads in disposable VMs, this is risky because any code executing in the VM can read and exfiltrate those credentials unless strong usage constraints, redaction, and user-facing warnings are present.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.