Back to skill

Security audit

Exo Cluster

Security checks across malware telemetry and agentic risk

Overview

This skill is a guide for manually setting up an Exo local AI cluster, with expected network-service risks users should manage.

Install only from trusted Exo sources, review cloned repositories before running them, and consider pinning known-good versions. Run the cluster on trusted networks, restrict exposed ports with a firewall or localhost binding where possible, and avoid sending sensitive prompts or data until access controls are understood.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to start services on fixed ports and exposes HTTP APIs/dashboard endpoints without warning about network reachability, authentication, or binding scope. In a clustering context, this can lead users to unintentionally expose model APIs or management interfaces to other hosts on the LAN or beyond, increasing the risk of unauthorized access and misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.