Minio Share

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MinIO file-sharing helper, but users should treat every use as an external upload that creates a shareable link.

Install only if you want the agent to upload selected files to your configured MinIO bucket and return shareable links. Use a least-privilege MinIO key scoped to the intended bucket, confirm the exact file and destination before upload, avoid --insecure except in controlled test environments, and remember that uploaded objects may persist after a presigned link expires.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly relies on environment variables containing storage credentials and performs network uploads, yet it declares no permissions or equivalent user-visible capability boundaries. This mismatch can cause the agent to invoke a file-transfer skill without clear review of its access to secrets and outbound network actions, increasing the chance of unintended data exfiltration or unsafe deployment.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to match common requests like 'send files' or 'download videos,' which can cause the skill to activate in routine conversations without the user understanding that an external upload and link generation will occur. In this skill's context, overbroad routing is more dangerous because the action involves transferring files to object storage and creating shareable URLs.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill description explains functionality but does not clearly warn users that files will be uploaded to external object storage and exposed through shareable links. Without a prominent disclosure, users may provide sensitive files under the mistaken assumption that handling is local or private, leading to confidentiality and data-sharing risks.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The workflow directs the agent to download remote files to temporary local storage and then upload them to MinIO, but it provides no user-facing disclosure or consent step for either transient local storage or external transfer. This materially increases privacy and compliance risk because users may not realize their content is being copied, stored, and redistributed across systems.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script allows users to disable TLS certificate and hostname verification with `--insecure`, creating a clear path for man-in-the-middle interception of MinIO credentials and uploaded content when used on untrusted networks. In this skill context, the tool handles object storage access keys and shareable file uploads, so weakening transport security is more dangerous than in a non-sensitive utility because it exposes both secrets and file data in transit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal