Security audit

Nebula Claw Developer

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear disposable-VM purpose, but it gives agents infrastructure-changing power with weakly documented authentication, credential handling, deletion safeguards, and privileged setup boundaries.

Install only in a controlled OpenNebula environment after confirming the API is authenticated, bound to localhost or a protected network, uses least-privilege credentials, avoids plaintext password passing, and requires careful target verification before any hard VM deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises shell-capable bundled resources (`scripts/vm_api.sh`) and operational behavior that can provision and destroy infrastructure, but it does not declare any explicit permissions. This creates a transparency and governance gap: callers may invoke a skill with infrastructure-changing capabilities without an auditable permission boundary, increasing the chance of unintended execution or misuse.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The document states that actions use a dedicated non-admin user, but the examples actually run the local CLI as `oneadmin` and then pass restricted-user credentials to the API-facing commands. This can mislead deployers about the true trust boundary and may normalize running the service through a privileged local account, increasing the chance of privilege misuse or accidental expansion beyond the intended restricted control plane.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The setup instructions embed a real-looking password directly in commands and examples, which encourages credential reuse and exposes secrets via shell history, process listings, logs, screenshots, and copied documentation. In a control-plane skill that provisions and terminates VMs, leaked credentials could allow unauthorized VM creation, inspection, or destruction within the allowed scope.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: - Keep the curated `templates` allowlist small and documented with descriptions. - Add TTL-based cleanup for disposable VMs. - Restrict bind address and network exposure according to the deployment. - Ensure the service account has passwordless sudo for the exact `one*` binaries used by the API, otherwise systemd runs can hang on sudo prompts.
Confidence: 93% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: - Keep the curated `templates` allowlist small and documented with descriptions. - Add TTL-based cleanup for disposable VMs. - Restrict bind address and network exposure according to the deployment. - Ensure the service account has passwordless sudo for the exact `one*` binaries used by the API, otherwise systemd runs can hang on sudo prompts.
Confidence: 93% confidence
Finding: sudo

Tool Parameter Abuse

High

Category: Tool Misuse
Content: - `GET /health` - `GET /vms` - `POST /vms` - `DELETE /vms/<vm_id_or_name>` Prefer readable VM and template names over numeric identifiers whenever possible.
Confidence: 88% confidence
Finding: DELETE /vms/<vm_id_or_name>`

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Delete by name when possible: ```text DELETE /vms/test-nebula-api-2026-04-10 ``` ## Expected environment inputs
Confidence: 85% confidence
Finding: DELETE /vms/test-nebula-api-2026-04-10

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.