ClawHub

Azure Bicep Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Azure deployment helper, but its examples can change live cloud resources and should be reviewed before use.

Install only if you want an agent to help with Azure Bicep deployments. Before running any command, confirm the active Azure tenant, subscription, resource group, parameter file, and expected cost; run what-if/validation first; avoid public ingress unless needed; and do not hardcode real registry passwords in templates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill provides copy-pasteable Azure deployment commands that can create or modify real cloud resources, but it does not warn users that these actions affect live infrastructure and may incur cost. In an agent setting, this increases the chance of accidental production changes or unintended spending, especially because the commands are presented as standard usage flows and a quick deploy one-liner.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This reference example deploys a publicly reachable Container App (`external: true`) and demonstrates registry credential handling with an inline placeholder secret, but it does not warn readers about the security implications of public exposure, secret management, or safer alternatives such as internal ingress and managed identity. In a reference/documentation context, users often copy examples directly, so omission of guardrails can lead to accidental internet exposure or insecure secret handling in real deployments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal