ClawHub

ops-mcp-server

Security checks across malware telemetry and agentic risk

Overview

This operations skill is not malware, but it can run real infrastructure procedures while also describing itself as read-only, so users should review it carefully before installing.

Install only if you trust the mcporter package, the local ops MCP server, and the credentials you configure. Treat this as a production-operations skill, not a read-only observability helper: use least-privilege tokens, separate read-only access from SOP execution where possible, and require explicit human confirmation before any restart, scaling, migration, database, node, or namespace-changing procedure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill explicitly exposes `execute-sops-from-ops`, which can perform operational actions, yet the documentation states that all access is read-only. This mismatch is dangerous because users or downstream agents may authorize or invoke the skill under false assumptions, leading to unintended state-changing actions during incident response or routine troubleshooting.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is primarily framed as an observability and investigation interface, but it also includes operational procedure execution. That framing can mislead an agent or operator into treating the skill as low-risk read access, increasing the chance of accidental invocation of impactful runbooks in contexts where only diagnostic access was intended.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains broad operational terms such as `ops`, `logs`, `metrics`, `incident`, `cluster`, and `pod`, which can cause the skill to be selected in many routine conversations. Because this skill includes an execution pathway via SOPs, over-broad invocation increases the risk that a high-impact tool becomes available or prioritized when the user only intended general discussion or passive analysis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents SOP execution as a normal capability but does not prominently warn that these procedures may change infrastructure state or have production impact. In an operational setting, that omission can lead users or agents to execute restart, failover, scaling, or other runbooks without fully understanding consequences, approvals, or rollback requirements.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples explicitly encourage broad wildcard queries such as namespace-wide and notification-wide event retrieval, but they do not warn that returned data may contain sensitive operational metadata, alert contents, provider/channel details, or incident information. In an ops-focused skill, this omission increases the chance that users will over-collect or expose infrastructure telemetry beyond the minimum needed for troubleshooting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples show execution of impactful operational procedures such as database backup/migration, scaling deployments to zero, and increasing production resources without an explicit warning immediately adjacent to the commands about service disruption, data risk, rollback requirements, or approval gates. In an ops-focused skill, users are likely to copy-paste these commands during incidents or maintenance, so missing proximity warnings materially increases the chance of accidental outage or unsafe production changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal