Back to skill

Security audit

Nomad Backup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only Nomad troubleshooting skill, but users should treat cluster logs, variables, and Nomad tokens as sensitive.

Before installing, verify the publisher/homepage if provenance matters, use a read-only scoped Nomad ACL token, and avoid asking the agent to print full allocation logs or variable values unless you are prepared to expose that data in the conversation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented commands include `nomad alloc logs` and `nomad var get`, both of which can expose sensitive data such as application secrets, tokens, internal URLs, personal data, or debug output if operators use them without caution. In a read-only monitoring skill this is contextually expected, but the absence of any warning or redaction guidance increases the risk of inadvertent disclosure through the agent's output or logs.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Referencing `NOMAD_TOKEN` is normal for authenticated Nomad access, but the documentation does not warn that it is a sensitive credential that must not be echoed, logged, or hardcoded. This creates a realistic chance of accidental token exposure in terminal history, agent transcripts, or shared troubleshooting output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.