VPN Mesh v2

Security checks across malware telemetry and agentic risk

Overview

This skill is a real VPN mesh tool, but it performs high-impact networking and public registry actions with weak consent, validation, and secret handling.

Review this carefully before installing. It can change system networking, create a VPN exit node, publish your public endpoint and approximate location to a shared GitHub-backed registry, use a GitHub token if present, and route traffic through or from peers. Use only with a dedicated fine-grained token, inspect the generated WireGuard config before starting it, avoid public announcement unless you intend to operate a public node, and restrict permissions on generated key files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: result = subprocess.run(["wg", "show"], capture_output=True, text=True) if result.returncode == 0 and len(result.stdout) > 0: # Interface is up - sync config without restarting result = subprocess.run( ["sudo", "wg", "syncconf", "wg0", str(CONFIG_FILE)], capture_output=True, text=True
Confidence: 89% confidence
Finding: result = subprocess.run( ["sudo", "wg", "syncconf", "wg0", str(CONFIG_FILE)], capture_output=True, text=True )

Tainted flow: 'req3' from os.environ.get (line 73, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req3 = urllib.request.Request(f"https://api.github.com/gists/{GIST_ID}", data=data, method="PATCH") req3.add_header("Authorization", f"token {token}") req3.add_header("Content-Type", "application/json") with urllib.request.urlopen(req3, timeout=10) as resp3: result = json.loads(resp3.read()) print(f" ✅ Announced to registry ({len(new_nodes)} total nodes)") return True
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req3, timeout=10) as resp3:

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: Claiming there is 'no central server to hack' is misleading when the design depends on a shared GitHub Gist registry. That registry is a central dependency and compromise, tampering, deplatforming, or metadata scraping there could affect node discovery, integrity, and user privacy expectations.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The docs describe both a full-mesh model and selective peer connection/routing, which creates ambiguity about actual network exposure and trust relationships. In security-sensitive networking software, inconsistent topology claims can lead operators to misunderstand who can reach whom and when traffic is routed through peers.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup script can publish node metadata to a public GitHub Gist-backed registry and directs users to a live public map, which exposes the host's external IP, endpoint, location, and public key beyond what many users would expect from a local VPN setup helper. In the context of an 'exit node' skill this behavior is related to peer discovery, but making publication public and opt-out rather than explicit opt-in creates a real privacy and operational security risk.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The script queries third-party geolocation services for the host IP and uses the returned country/city in node metadata. While not code-execution dangerous, it leaks installation activity and host network information to external services without being necessary for basic WireGuard configuration.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup flow is described as creating keys, detecting location, creating config, and announcing the node, but it does not prominently warn that node metadata may be published to a public registry and shown on a live map. Publishing public IP, endpoint, city, and uptime can materially increase deanonymization, targeting, and unwanted exposure of the host.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The quick start instructs users to bring up a WireGuard interface with sudo but does not clearly warn that this can alter routing, firewall state, and overall system networking. Users may unintentionally redirect traffic through peers or disrupt local connectivity without understanding the implications.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The documentation explicitly promotes bypassing geo-restrictions and accessing region-blocked services as endorsed use cases. This normalizes policy-sensitive behavior and increases the likelihood the skill will be used to evade regional controls, terms of service, or legal restrictions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states that setup will detect location and announce the node to a shared registry, but it does not clearly warn users that this discloses metadata such as approximate geolocation, public IP or endpoint details, and node availability. In a VPN/mesh context, that privacy exposure is material because operators may unintentionally publish identifying infrastructure information to a public or semi-public service.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README promotes turning the host into a VPN exit node but does not prominently warn that third-party traffic may be routed through the operator's machine and network. That omission is dangerous because users may expose themselves to abuse complaints, legal risk, bandwidth consumption, and forensic attribution for traffic they did not originate.

Missing User Warnings

Medium

Confidence: 75% confidence
Finding: The script makes outbound requests and may attach a GitHub token without explicit user disclosure or opt-in, which can surprise users and leak metadata about execution context. In an agent skill, silent network access using ambient credentials is risky because users may not expect a visualization helper to consume credentials.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The registry URL is fully controllable via VPN_MESH_REGISTRY and is fetched without validation or user warning, enabling unexpected outbound requests to arbitrary hosts. In an agent environment this can be abused for SSRF-like behavior, internal network probing, or exfiltration of request metadata.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script collects the external IP and location and then later announces that data to a public registry, but it does not present an upfront warning or explicit confirmation before disclosure. Because this skill is intended to create globally routable VPN exit nodes, publishing endpoint and location details materially increases the privacy and targeting risk to the operator.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The script consumes GITHUB_TOKEN from the environment and uses it for authenticated API calls to modify a Gist, but it does not clearly explain the required token scope or the implications of providing it to the setup process. This is primarily a credential-handling transparency issue that could lead users to over-privilege tokens or expose them in unsafe environments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup flow gathers external IP/location data, reads credentials, writes private key material to disk, and may publish node metadata to an external registry without an upfront warning or confirmation gate. In the context of a VPN exit-node skill, this is more dangerous because it can expose the host as a routable network node and disclose identifying information with little user awareness.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code overwrites the WireGuard configuration file with peer entries from a remote registry without user confirmation or integrity checks. This is risky because it can silently change future VPN behavior and route all traffic through untrusted peers using AllowedIPs = 0.0.0.0/0, ::/0.

Ssd 4

Medium

Confidence: 90% confidence
Finding: The narrative incrementally encourages routing all agent traffic through foreign peers to obtain access unavailable in the local jurisdiction. In context, this makes a sensitive networking skill more dangerous because it lowers operator caution and frames broad traffic redirection as routine rather than high-risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal