Soc Deploy Misp

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill coherently deploys MISP on a Docker host, but users should notice that it runs remote deployment commands, pulls an unpinned upstream project, and stores powerful credentials in a plaintext file.

This appears to be a straightforward MISP deployment helper. Before installing, make sure the SSH target is the right host, use a strong custom admin password, protect or delete the generated ~/misp/api-key.txt file, and consider pinning the upstream misp-docker version for production use.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

Running the skill will make real changes on the selected machine, including starting Docker services and writing configuration files.

Why it was flagged

The skill directs the agent/user to copy and run a shell deployment script on a remote host. This is expected for deploying MISP, but it gives the script authority to modify that host.

Skill content

scp scripts/setup.sh <target>:~/
ssh <target> "bash ~/setup.sh 'admin@misp.local' '<password>'"

Recommendation

Run it only on a host intended for MISP, review the target before execution, and keep backups or a rollback plan for that host.

#ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

What gets deployed can change if the upstream repository changes, even though using the official MISP Docker project is consistent with the skill’s purpose.

Why it was flagged

The script pulls the live upstream MISP Docker repository and runs its Compose deployment without pinning a commit or release.

Skill content

git clone --quiet https://github.com/MISP/misp-docker.git "$MISP_DIR"
...
docker compose up -d

Recommendation

For production or repeatable deployments, pin the MISP Docker repository to a reviewed tag or commit and review Compose changes before running.

#ASI03: Identity and Privilege Abuse

Medium

What this means

Anyone who can read the credential file or knows the unchanged default password could gain significant access to the MISP instance.

Why it was flagged

The script supports a static default admin password and saves the MISP admin password, API key, and database passwords in a plaintext file.

Skill content

PASSWORD="${2:-ChangeMe123!}"
...
cat > ~/misp/api-key.txt << EOF
...
Admin: ${ADMIN_EMAIL} / ${PASSWORD}
API Key: ${API_KEY}
...
MySQL Root: ${MYSQL_ROOT_PW}

Recommendation

Always provide a strong unique admin password, restrict permissions on ~/misp/api-key.txt, and rotate or remove stored credentials after setup if they are not needed.