Back to skill

Security audit

Bohrium Image Management

Security checks across malware telemetry and agentic risk

Overview

This Bohrium image-management skill is not malicious, but it gives an agent credentialed authority to upload Dockerfiles and create, share, unshare, or delete remote images without enough safeguards.

Install only if you trust the Bohrium project/account context and are comfortable giving the skill an ACCESS_KEY. Before any build, inspect the Dockerfile for secrets or proprietary content because it will be uploaded to Bohrium. Require explicit user confirmation before build, delete, share, or unshare actions, and list/verify image IDs before making changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'HEADERS_JSON' from os.environ.get (line 21, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
dockerfile_content = f.read()

    # Validate Dockerfile first
    check = requests.post(
        f"{BASE_V2}/dockerfile/check",
        headers=HEADERS_JSON,
        json={"dockerfile": dockerfile_content},
Confidence
80% confidence
Finding
check = requests.post( f"{BASE_V2}/dockerfile/check", headers=HEADERS_JSON, json={"dockerfile": dockerfile_content}, )

Tainted flow: 'HEADERS_JSON' from os.environ.get (line 21, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
print("Dockerfile validation passed.")

    # Build
    r = requests.post(
        f"{BASE_V2}/private",
        headers=HEADERS_JSON,
        json={
Confidence
83% confidence
Finding
r = requests.post( f"{BASE_V2}/private", headers=HEADERS_JSON, json={ "name": name, "projectId": project_id, "device": "container",

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documented share/unshare operations extend beyond the stated scope of listing, pulling, creating, and deleting images. This scope drift is dangerous because an agent may perform project-scoped access-control changes that users did not intend, potentially exposing private images to other project members or altering availability.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file-level documentation presents the module as search/browse oriented, but the implementation also supports building private images. That mismatch can mislead users or higher-level agents into invoking a state-changing operation they did not expect, which is a security-relevant capability disclosure issue.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation implies read-only behavior, yet the code includes image creation against a private API. In agent settings, such understatement increases the risk of unsafe delegation because callers may treat the tool as low-risk discovery functionality when it can actually mutate remote resources and transmit local file contents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill includes destructive deletion commands with no warning, dry-run advice, identity check, or confirmation guidance. In an agent context this increases the risk of accidental irreversible deletion of custom images, causing service disruption or loss of reproducible environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.