Back to skill

Security audit

Proxmox Complete

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Proxmox administration skill, but it should be treated as powerful infrastructure tooling.

Install only if you intend to let OpenClaw administer Proxmox. Use a least-privilege Proxmox API token, protect credential files with restrictive permissions, and require explicit confirmation before start, stop, shutdown, reboot, snapshot creation/deletion, backup, or rollback commands, especially on production clusters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly relies on shell execution and environment-based credentials, but it does not declare permissions to reflect those capabilities. This weakens platform trust boundaries and informed consent because users or orchestration layers may not realize the skill can invoke commands and access sensitive environment variables such as API tokens.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text says to use the skill whenever the user asks about Proxmox, VMs, LXC, snapshots, backups, or cluster status, which is broad enough to match ordinary discussion rather than an explicit request to operate infrastructure. In an agent setting, that can cause unintended tool invocation against production virtualization systems, increasing the chance of sensitive data exposure or accidental administrative actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs destructive infrastructure actions such as stop, shutdown, reboot, snapshot deletion, and rollback immediately once invoked, with no confirmation, dry-run mode, or additional safety checks. In an agent skill context, this is more dangerous because natural-language misunderstandings, prompt injection, or accidental invocation can directly disrupt production VMs and containers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.