Back to skill

Security audit

Proxmox Management

Security checks across malware telemetry and agentic risk

Overview

This Proxmox administration skill appears purpose-built and mostly transparent, but it has enough overbroad infrastructure-control risk to warrant review before installation.

Install only with a Proxmox API token limited to the specific nodes, VMs, containers, and actions you intend the agent to manage. Review or patch the VM kind/action validation before allowing power operations, and prefer pinned dependency versions in controlled environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
def status_current(p: ProxmoxAPI, node: str, kind: str, vmid: str):
    # kind is usually 'qemu' or 'lxc'
    endpoint = getattr(p.nodes(node), kind)
    return endpoint(vmid).status.current.get()

def action_vm(p: ProxmoxAPI, node: str, kind: str, vmid: str, action: str):
Confidence
90% confidence
Finding
endpoint = getattr(p.nodes(node), kind)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
def action_vm(p: ProxmoxAPI, node: str, kind: str, vmid: str, action: str):
    # action: start, stop, reboot, shutdown
    endpoint = getattr(p.nodes(node), kind)
    return getattr(endpoint(vmid).status, action).post()

def _vm_endpoint(p: ProxmoxAPI, node: str, kind: str, vmid: str):
Confidence
95% confidence
Finding
endpoint = getattr(p.nodes(node), kind)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires sensitive environment variables (PVE_HOST, PVE_TOKEN_ID, PVE_TOKEN_SECRET) to authenticate to a Proxmox cluster, but it does not declare explicit permissions despite clearly using privileged external access. This creates a transparency and policy-enforcement gap: an agent or platform may expose credentials and infrastructure control without an explicit permission boundary, increasing the risk of unauthorized VM/container management or cluster reconnaissance.

Unpinned Dependencies

Low
Category
Supply Chain
Content
proxmoxer>=2.0.0
requests>=2.0.0
Confidence
96% confidence
Finding
proxmoxer>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
proxmoxer>=2.0.0
requests>=2.0.0
Confidence
99% confidence
Finding
requests>=2.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.