Back to skill

Security audit

Proxmox Multi Control

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it lets an agent administer Proxmox hosts, but users should treat its credentials and infrastructure actions as sensitive.

Install only if you want an agent to manage your Proxmox environment. Use a dedicated Proxmox user with the minimum required permissions, keep the credentials file locked down, avoid root or broad tokens, enable TLS verification where practical, and require explicit confirmation before power actions, snapshot deletion, or rollback. Treat outputs such as hostnames, VM names, backups, task history, and token IDs as sensitive infrastructure information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
def action_vm(p: ProxmoxAPI, node: str, kind: str, vmid: str, action: str):
    endpoint = getattr(p.nodes(node), kind)
    return getattr(endpoint(vmid).status, action).post()

def snapshot_vm(p: ProxmoxAPI, node: str, kind: str, vmid: str, snapname: str, vmstate: bool = False):
    endpoint = getattr(p.nodes(node), kind)
Confidence
89% confidence
Finding
return getattr(endpoint(vmid).status, action).post()

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly relies on environment variables and a local credentials file for highly sensitive Proxmox API tokens, but no declared permissions are present to scope or signal that access. In an agent framework, undeclared secret access reduces transparency and can let a skill handle powerful infrastructure credentials without users or policy layers clearly understanding that capability.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The `hosts` command returns each configured host's `token_id` to the caller. While this may not expose the secret token value, credential identifiers and account naming conventions are sensitive metadata that aid reconnaissance and are not necessary for normal Proxmox administration output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises destructive capabilities such as power control and snapshot delete/rollback without clearly warning that these operations can cause service outages, data loss, or state reversion. In an agent skill context, missing safety guidance increases the chance that a user or upstream agent invokes high-impact actions casually or without confirmation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broad enough to match generic requests about servers, status, backups, or VMs, which can cause unintended invocation of a skill that has access to live infrastructure management APIs. Over-broad activation increases the chance an agent routes unrelated or ambiguous requests into a high-privilege operational skill, potentially exposing sensitive inventory data or enabling risky follow-on actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Exposing raw `token_id` values in normal output leaks credential-related identifiers without masking or warning. In a multi-host infrastructure management skill, this increases the value of any prompt exfiltration or output capture by revealing privileged account names and token labels tied to production systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script executes power-control operations (`start`, `stop`, `shutdown`, `reboot`) immediately on VMs/containers with no confirmation, dry-run, or warning. In this skill's context, which can target one or many Proxmox hosts, accidental invocation or prompt-manipulated invocation can directly disrupt running services and production workloads.

Missing User Warnings

High
Confidence
97% confidence
Finding
Snapshot deletion is irreversible in practice and is performed immediately with no confirmation barrier. In a Proxmox management skill, this can destroy recovery points for critical systems, worsening the impact of mistakes or malicious prompting and undermining resilience during incidents.

Missing User Warnings

High
Confidence
98% confidence
Finding
Snapshot rollback can revert a VM/container to an earlier state, causing data loss, service disruption, and configuration regression, yet the script performs it without warning or confirmation. Given this skill manages infrastructure systems, an unintended rollback can have immediate operational impact across critical workloads.

Session Persistence

Medium
Category
Rogue Agent
Content
## First-Time Setup

### Step 1: Create API Token on Proxmox

For **each** Proxmox host you want to manage:
Confidence
81% confidence
Finding
Create API Token on Proxmox For **each** Proxmox host you want to manage: 1. Login to Proxmox web UI (`https://<ip>:8006`) 2. Go to **Datacenter → Permissions → API Tokens → Add** 3. Choose a user a

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.