Prod Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill is a real production deployment helper, but it exposes a plaintext root password and can change a live production server without strong safeguards.

Do not install or run this version as published. Rotate the exposed server password, remove all embedded credentials, disable password-based root deployment, use a scoped deploy account or secret manager, add explicit production confirmations and dry-run/preflight checks, and replace broad rollback/restart commands with targeted, validated procedures.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill performs shell execution and local file read/write operations but does not declare permissions or constraints. In an agent environment, undeclared powerful capabilities reduce transparency and can lead to unsafe execution of destructive deployment steps without explicit approval boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: The skill embeds a production server IP, root username, and plaintext password, and instructs direct deployment and remote administration of a live production system. Hardcoded root credentials create immediate compromise risk if the skill file is exposed, and the mismatch understates how sensitive and dangerous the behavior actually is.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The quick reference exposes direct production root SSH access and a plaintext server password in documentation. This creates an immediate secret-disclosure and privileged-access risk: anyone who can read the file can log into the production host as root and fully compromise the application, data, and infrastructure.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad enough that ordinary requests like 'deploy code' or 'go live' could invoke a production deployment workflow unintentionally. Because this skill targets a real production environment and includes backup, migration, restart, and rollback steps, accidental invocation could cause outages or unauthorized changes.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill describes destructive production operations while exposing root credentials in the instructions and failing to warn or constrain their use. This materially increases the chance that an operator or agent will perform privileged actions directly on production with maximum blast radius.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The document presents a one-command production deployment path without an explicit warning that it changes live systems and may trigger migrations, restarts, or outages. In a deployment skill, this increases the chance of accidental execution by an operator or agent without proper confirmation or change-control checks.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The rollback section includes pg_restore and git reset --hard, both of which can overwrite state and destroy data, yet the document does not prominently warn about irreversibility or operator validation steps. In a production SOP, this can cause major data loss or service instability if run against the wrong backup, host, or commit.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The rollback section contains destructive production operations such as database restore, hard git reset, and service restarts without explicit warnings about downtime, irreversible data loss, or requirements for operator confirmation. In a deployment skill intended for one-click or guided execution against a live production server, this omission materially increases the chance of accidental destructive use.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The main flow immediately connects to production and performs destructive actions such as uploading files, running migrations, and restarting services without any explicit confirmation, dry-run, environment gate, or rollback approval. In an agent skill context, this is especially dangerous because accidental invocation, prompt confusion, or misuse can trigger irreversible production changes on a live system.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ssh root@157.245.56.178 "pg_restore -d smdating /tmp/smdating_backup_YYYYMMDD_HHMMSS.dump" # 2. 恢复代码（从 Git） ssh root@157.245.56.178 "cd /var/www/sm-dating-website && git reset --hard HEAD~1" # 3. 重启服务 ssh root@157.245.56.178 "pm2 restart all"
Confidence: 91% confidence
Finding: git reset --hard

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ssh root@157.245.56.178 "pg_restore -d smdating /tmp/smdating_backup_YYYYMMDD_HHMMSS.dump" # 2. 回滚代码 ssh root@157.245.56.178 "cd /var/www/sm-dating-website && git reset --hard HEAD~1" # 3. 重启服务 ssh root@157.245.56.178 "pm2 restart all"
Confidence: 93% confidence
Finding: git reset --hard

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal