Back to skill

Security audit

SSH Server Watchdog

Security checks across malware telemetry and agentic risk

Overview

This server-monitoring skill mostly does what it says, but it includes high-impact restart authority plus unsafe SSH and alert defaults that users should review before installing.

Install only after reviewing and changing the defaults. Remove the hard-coded Telegram chat ID and host-specific administrator references, explicitly configure the alert recipient, prefer SSH keys with host verification enabled, and require manual approval before restarts or PM2 deployment unless you intentionally want unattended auto-healing on that server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The script embeds environment-specific access details and operational assumptions, including a hardcoded Telegram chat ID and later explicit host/admin connection instructions, while only checking a localhost MongoDB instance. In an agent skill context, hardcoded infrastructure identifiers can leak sensitive operational metadata and encourage unsafe reuse against the wrong host or privilege boundary.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation language is very broad and can cause the skill to activate for common administration prompts, including cases where the user did not explicitly authorize disruptive actions like service restarts. In the context of a skill that includes remote SSH access and restart procedures, overbroad triggering raises the risk of unintended operational changes on production systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly includes auto-healing and restart actions but does not require a warning, approval gate, or dry-run before performing destructive or service-impacting operations. In a remote server administration context, automatic restarts can cause downtime, data loss, or interfere with incident response if triggered without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The password-based SSH example disables host key verification with StrictHostKeyChecking=no and embeds plaintext password handling in an expect script. This makes man-in-the-middle attacks and credential exposure more likely, especially because the skill is intended for remote server administration where compromised SSH credentials can lead to full server takeover.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/mongodb-watchdog.js:89