Back to skill

Security audit

JumpServer

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its JumpServer query purpose, but it handles infrastructure credentials while disabling TLS certificate verification, so it needs review before use.

Install only in a trusted local environment, protect .env.local as a secret file, avoid shared workspaces, and prefer network paths where certificate verification can be restored or independently controlled. Review the use of JMS_SDK_MODULE/JMS_SDK_GET_CLIENT and --confirm-install before allowing an agent to run the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
def import_string(path: str) -> Any:
    module_name, attr_name = path.rsplit(".", 1)
    module = importlib.import_module(module_name)
    return getattr(module, attr_name)


def load_get_client() -> Callable[..., Any]:
Confidence
86% confidence
Finding
return getattr(module, attr_name)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The bootstrap logic can modify the local Python environment by automatically installing packages from requirements.txt when invoked with --confirm-install. That exceeds the skill's declared read-only/query-oriented scope and creates a supply-chain and integrity risk because running the skill can lead to code being fetched and installed from package indexes, which is a meaningful side effect outside the advertised behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Including subprocess-driven pip installation in a JumpServer read-only query skill broadens the trust boundary and permits environment mutation unrelated to asset/audit queries. In this context, that makes the skill more dangerous because a user expecting non-mutating behavior may still trigger package installation, exposing the host to dependency confusion, malicious package updates, or unreviewed code execution during install.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This helper writes credentials and other runtime settings into .env.local, which is a persistent state change inconsistent with a skill described as read-only query oriented. In an agent setting, hidden local state mutation can surprise operators, alter later executions, and persist sensitive material on disk longer than expected.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The org-selection logic can automatically persist a default organization into .env.local without explicit user confirmation. Even if the change seems minor, it silently mutates future execution context and may cause queries to run against an unintended organization.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly instructs users to collect credentials and persist them into a local `.env.local`, including access keys, secrets, and passwords, but does not warn about the sensitivity of those secrets or safe handling requirements. In a skill designed to initialize environments for an infrastructure access platform, this increases the chance of credential leakage through filesystem exposure, backups, shell history, accidental commits, or shared workspaces.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly instructs users to collect JumpServer credentials and persist them into a local `.env.local` file, but it does not warn about the sensitivity of those secrets, expected file permissions, exclusion from version control, or local compromise risk. In a skill intended for routine operations, normalizing plaintext secret storage without guardrails increases the chance of credential disclosure through accidental commits, backups, shared workspaces, or weak host security.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs users to run a command that writes credential material, including `JMS_PASSWORD`, into `.env.local` without any warning about secret persistence, file permissions, or safer alternatives. In a security-sensitive JumpServer skill, normalizing plaintext secret storage increases the chance of credential exposure through local files, backups, shell history, or accidental commits.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The documentation states that the workflow may automatically write back `JMS_ORG_ID` under certain conditions, but does not clearly warn that this changes persistent local configuration. While the value is not a secret, undocumented stateful behavior can cause users or downstream automation to operate against the wrong organization context, leading to confusion or unintended data access scope.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code disables urllib3 HTTPS certificate warnings and constructs clients with verify=False, removing TLS certificate validation. This allows man-in-the-middle interception of JumpServer traffic, exposing credentials, tokens, and returned data while making the compromise hard to notice.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.