Hyperv Create Vm
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its VM-creation purpose, but it asks for high-privilege Hyper-V execution while key PowerShell scripts are missing from the package and its password-handling script contradicts its own safety claim.
Use this only on a test or intended Hyper-V host, and do not run any missing or externally obtained PowerShell scripts as administrator. Review the commands before execution, use a throwaway VM password until the password hashing code is fixed, restrict VM names to simple safe characters, and consider adding checksum verification for downloaded binaries.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be led to run missing or externally sourced administrator PowerShell code on the Hyper-V host.
The skill tells the user/agent to copy and run privileged PowerShell helpers, but the supplied manifest does not include create-vm.ps1, destroy-vm.ps1, or find-vm-ip.ps1. The core privileged code is therefore outside the reviewed artifact set.
scp scripts/create-vm.ps1 hyperv-host:C:/Users/youruser/Downloads/ ssh hyperv-host "powershell -ExecutionPolicy Bypass -File ... create-vm.ps1 ..."
Do not run substitute scripts from elsewhere. Require the package to include the exact reviewed PowerShell scripts, or perform the Hyper-V steps manually with audited commands.
A VM password you expect to stay out of command-line arguments may briefly appear in local process listings.
Despite the safety claim, the script interpolates the plaintext password into the python -c command line, which can be visible to process-list monitoring while the command runs.
# Password is read from VM_PASSWORD env var or stdin to avoid exposure
# in process lists and shell history.
...
PASS_HASH=$(python3 -c "import crypt; print(crypt.crypt('${PASSWORD}', crypt.mksalt(crypt.METHOD_SHA512)))")Avoid using sensitive reused passwords. The script should pass the password to Python through stdin or an environment variable and update the documentation to match actual handling.
If an untrusted party can influence the VM password, they may be able to trigger unintended local Python execution.
The password is inserted directly into Python source without escaping. A crafted password containing quotes could alter the Python command executed on the local build host.
PASS_HASH=$(python3 -c "import crypt; print(crypt.crypt('${PASSWORD}', crypt.mksalt(crypt.METHOD_SHA512)))")Do not interpolate user-controlled strings into code. Read the password inside Python from stdin or an environment variable and validate/escape all inputs.
A malformed or malicious VM name could cause deletion of an unexpected local directory ending in -cidata.
The required VM name is used to construct a path that is recursively deleted, with no validation against slashes, traversal sequences, or shell metacharacters.
VM_NAME="${1:?Usage: VM_PASSWORD=<pass> $0 <vm-name> [ssh-public-key] [extra-packages]}"
WORK_DIR="/tmp/${VM_NAME}-cidata"
...
rm -rf "$WORK_DIR"Restrict VM names to a safe pattern such as letters, numbers, and hyphens, and use mktemp or another safe temporary-directory mechanism instead of deriving delete paths directly from user input.
Commands run through this skill can create, start, stop, or remove VMs and modify host-side virtual disk files.
These privileges are expected for Hyper-V VM creation, but they grant broad authority over the Windows host.
SSH access to Hyper-V host ... required: true Hyper-V admin privileges ... elevated PowerShell (Hyper-V cmdlets, fsutil, icacls).
Use a dedicated, least-privilege administrative account where possible, run only against the intended Hyper-V host, and review destructive operations before execution.
The new VM trusts a downloaded executable from GitHub during first boot.
Cloud-init downloads a pinned Docker Compose binary and makes it executable. This is purpose-aligned for a Docker-ready VM, but there is no checksum or signature verification in the artifact.
curl -SL "https://github.com/docker/compose/releases/download/v2.32.4/docker-compose-linux-x86_64" -o /usr/local/lib/docker/cli-plugins/docker-compose chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
Verify the binary with a checksum/signature or install through a trusted package source if available.