Axiomata Web Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks an agent to autonomously change live Docker services and DNS records while understating credential and file access.

Review before installing. Use only with a least-privileged DNS token scoped to the intended zone, confirm the exact domain, IP, container name, ports, and cleanup target before running, and avoid allowing the skill to read home-directory credential files unless you explicitly approve the path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The skill claims it only operates within the project directory, but later instructs reading secrets from a fixed path in the user's home directory. That mismatch broadens data access expectations and could cause an agent to touch sensitive files outside the declared scope, weakening user trust and increasing the chance of unintended secret exposure.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: Although the documentation says not to embed credentials, it provides concrete commands to extract secrets from a predictable file in $HOME. This normalizes automated access to sensitive local files and may encourage agents to probe home-directory credential stores without explicit user confirmation.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest uses broad trigger phrases like 'build and deploy' and 'setup web server,' which can match ordinary user requests that do not imply consent for autonomous infrastructure changes. Overbroad activation increases the chance the skill runs in inappropriate contexts and performs network, Docker, or DNS actions unexpectedly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill includes destructive commands that stop and remove existing containers and overwrite port bindings, but the description does not clearly warn users about these side effects. In an autonomous deployment context, this can interrupt running services or destroy prior deployments without sufficient user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal