Self-Host Deployer

Security checks across malware telemetry and agentic risk

Overview

This self-hosting guide is mostly coherent, but it asks for server credentials and grants broad Docker-host control without enough scoping or safety warnings.

Install only if you intend to let the agent guide changes on a VPS you own. Prefer running SSH commands yourself, use key-based access with a dedicated sudo-capable account, do not paste private keys or long-lived passwords into chat, inspect all generated commands first, and treat Portainer, Dockge, Docker socket mounts, and curl-pipe-bash installers as high-trust actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The Langfuse section claims a production-ready deployment but omits components called out in its own note, specifically worker/auxiliary dependencies such as ClickHouse and Redis. This creates a misleading deployment path that may leave operators with a partially functional or insecure setup and can cause unsafe improvisation during deployment.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Including infrastructure-management tools like Nginx Proxy Manager, Portainer, and Dockge expands the skill from single-app deployment into broad host and container administration. That substantially increases the privilege and blast radius of actions performed through the skill beyond what a user may expect from 'self-host app deployment.'

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Mounting /var/run/docker.sock into Portainer gives the container effectively root-equivalent control over the Docker host, including starting privileged containers, accessing mounted secrets, and managing unrelated workloads. In the context of a general deployment skill, this is a major capability escalation beyond deploying one application.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Dockge is configured with both the Docker socket and a writable stacks directory, granting broad control over the host's containers and Compose deployments. This enables creation, modification, and persistence of arbitrary services unrelated to the requested app, greatly increasing abuse potential.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Even as 'optional,' mounting the Docker socket into Uptime Kuma gives it visibility and control over the Docker host well beyond passive uptime monitoring. Users following the template may unknowingly deploy a monitoring service with host-management capability.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad and overlap with normal user language, which can cause the skill to activate in situations where the user did not intend infrastructure deployment guidance. Because this skill requests credentials and performs host-level changes, accidental invocation is more dangerous than for a low-risk informational skill.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The 'When to Use' guidance includes catch-all wording like 'self-host' and 'host my own X,' which is ambiguous and can match exploratory or hypothetical discussion. In a skill capable of changing infrastructure, ambiguous invocation increases the risk of unintended escalation into credential collection or deployment instructions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill asks for VPS IP, SSH credentials, and email without any privacy, storage, or safe-handling warning. Requesting sensitive access details as routine input can normalize unsafe credential sharing and expose users to credential leakage or misuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow performs substantial system modifications—installing packages, creating configs, obtaining certificates, writing secrets, and scheduling cron jobs—without a consolidated warning or explicit user approval checkpoint. That can lead users to apply impactful infrastructure changes without fully understanding consequences or rollback requirements.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs collection of raw SSH credentials as part of normal operation. In the context of an agent skill, that is dangerous because it encourages users to disclose highly sensitive secrets into a conversational channel instead of using safer local authentication methods.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal