Back to skill

Security audit

Server Mate

Security checks across malware telemetry and agentic risk

Overview

Server-Mate is a real monitoring tool, but it asks for production-level server authority and exposes several high-impact features with weak default scoping or hardening.

Install only after reviewing the exact config. Keep automation.dry_run true, leave auto_ban and auto_heal disabled until commands and allowlists are approved, bind the dashboard to localhost or put it behind authentication, avoid plaintext API keys, disable AI analysis if logs or incident context must not leave your environment, and do not use the curl-to-sudo-bash install path without independent verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (26)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Never raises — exceptions are caught and returned as an error string.
    """
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"command_text": command_text,
        }
    try:
        completed = subprocess.run(
            shlex.split(command_text),
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
completed = subprocess.run( shlex.split(command_text), capture_output=True, text=True, timeout=max(int(timeout_seconds), 1), check=F

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes capabilities to read environment variables, read/write files, access the network, and invoke shell commands, but it does not declare permissions or otherwise bound those capabilities in the manifest. That mismatch weakens reviewability and can lead operators to trust a monitoring skill that can also modify local state, execute commands, and reach remote services, increasing the blast radius if later code or prompts are abused.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation requires issuing BTPanelClient.exec_shell("echo server-mate-probe") against each remote panel before normal collection. Even though the probe is intended to be side-effect free, it normalizes remote shell execution in a monitoring workflow and expands the trust boundary from passive log retrieval to active command execution on external systems.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill first says OPENAI_API_KEY is runtime-injected and should not be exported manually, but later release notes endorse storing an API key directly in config.yaml. Encouraging plaintext secret storage in a routinely edited local config materially increases the chance of credential leakage through commits, backups, logs, shared workspaces, or accidental disclosure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Daily PDF generation is rendered from hard-coded demo BT-style datasets instead of the computed report contents, causing the tool to produce misleading operational and security reports. In a monitoring/ops skill, falsified output can hide incidents, misdirect response, and create dangerous false assurance during outages or attacks.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The weekly/monthly dashboard path also mixes synthetic BT-style visualization data into reports, breaking data integrity for security and performance reporting. For an ops/reporting skill, integrity of reports is security-relevant because responders may rely on them to detect scanning, 5xx spikes, or abnormal traffic patterns.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The built-in dashboard binds an HTTP server to 0.0.0.0 and serves metrics, alerts, active bans, and host details without authentication or authorization checks. On any reachable network, this exposes sensitive operational telemetry and attack-surface information that can aid reconnaissance or leak infrastructure state.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The diagnostic helper is documented like a local diagnostic tool but also issues remote shell commands through BT-Panel clients, widening the execution boundary to other managed hosts. That hidden capability increases the blast radius of mistakes or abuse because alerts can trigger command execution beyond the local machine.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The guide includes a bootstrap one-liner that fetches a script from the internet and pipes it directly into sudo bash, introducing remote code execution as root without integrity verification or user review. Because this capability is undocumented in the skill description, operators may not expect the skill to encourage privileged arbitrary code execution, increasing supply-chain and social-engineering risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises automatic diagnostics via local subprocesses and remote BT-Panel exec_shell, but the warning about system-impacting behavior is not prominent enough relative to the feature description. In a monitoring skill, remote shell execution and automated banning materially raise the risk of unintended service disruption, sensitive data collection, and abuse if misconfigured or triggered by false positives.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes AI-driven auditing/classification of candidate IP request context, including URIs, methods, statuses, and user agents, without a clear privacy and third-party data-sharing warning. In a monitoring product, sending log-derived metadata to an LLM can expose personal data, internal paths, tokens in URLs, or other sensitive operational details if operators are not explicitly informed.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README states the tool may automatically download a GeoIP database from public mirrors, but it does not prominently warn users that enabling this feature causes outbound network access to third-party sources. In an ops/monitoring skill, undocumented external downloads can violate network policy, leak environment metadata such as source IP, and surprise users in restricted environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README says recent request details including URL paths, methods, status codes, and user agents are sent to an LLM for AI security auditing, but it lacks a prominent privacy and data-egress warning. In a server monitoring product, these fields can contain sensitive operational data, internal endpoints, tokens in URLs, customer identifiers, or attack payloads, so silent transmission to a third-party model provider increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document describes alert pre-review via a shared AI interface without clearly warning that alert context will be transmitted externally. Alert payloads often include host identifiers, service names, error messages, stack traces, and log excerpts, so the lack of strong disclosure creates avoidable data-leakage and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The schema explicitly documents retention of distinct client IPs and hashed visitor identities, which are privacy-sensitive data elements. In a monitoring skill that aggregates web traffic and security signals across hosts, storing these identifiers without documented minimization, retention limits, access controls, or user notice increases privacy, compliance, and misuse risk even if the operational purpose is legitimate.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends aggregated site and host telemetry to a remote AI endpoint without a clear user-facing warning in this file, which can leak operational metadata outside the monitored environment. In a server monitoring skill, even aggregated data like host IDs, traffic volume, error counts, and timing windows may be sensitive and should not leave the environment silently.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Shell-based diagnostics run automatically in response to alerts without interactive confirmation, making command execution an implicit side effect of monitoring. In a monitoring skill, that is risky because an operator may expect observation only, while the code actually executes multiple host commands and potentially remote commands.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The agent sends operational context, alert metadata, and potentially sensitive incident details to external AI endpoints without strong runtime disclosure or hard safeguards. In a server-monitoring context, this can leak internal hostnames, traffic patterns, errors, and security events to third-party services.

Missing User Warnings

High
Confidence
98% confidence
Finding
The automation subsystem can ban IPs, unban them, and restart services automatically based on parsed logs, heuristics, and optional LLM decisions, all without human confirmation. In this monitoring/ops skill, that is especially dangerous because false positives, prompt mistakes, or config tampering can disrupt production traffic, block legitimate users, or execute arbitrary operational commands on hosts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide states the dashboard listens on http://0.0.0.0:8000, which exposes it on all interfaces by default, but the nearby instructions do not warn users to restrict binding or enforce access controls before use. In a monitoring product that may surface logs, host metrics, topology, and operational controls, accidental network exposure materially increases reconnaissance and unauthorized access risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Piping a remote script directly into sudo bash executes whatever the remote server returns with root privileges, with no checksum, signature, pinning, or inspection step. This is a classic supply-chain/RCE pattern: compromise of the repo, DNS, transport endpoint, or account publishing the script can lead to full host takeover.

External Transmission

Medium
Category
Data Exfiltration
Content
ai_analysis:
      enabled: true
      simulate: false
      endpoint: https://api.openai.com/v1
      base_url: https://api.openai.com/v1
      model: gpt-4o-mini
      api_key: ""                       # (可选)直接在此处配置大模型 API Key(独立运行时使用,无需配置环境变量)
Confidence
87% confidence
Finding
https://api.openai.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Post-Alert Automatic Deep Diagnostics

When hardware or service alerts trigger, the Agent automatically executes a suite of relevant troubleshooting commands locally (via subprocess) or remotely (via BT-Panel API `exec_shell`). The diagnostic report is appended directly to the webhook alert push message:
- **CPU/Memory/Swap alerts**: runs `ps` sorted by usage, `uptime`, `free`, and `dmesg/journalctl` OOM filters.
- **Disk/Inode alerts**: runs `df -hT`, `df -i`, and directory scans `du -sh` to locate major space/inode consumers.
- **Network/TCP alerts**: runs `ss -s`, `ss -tn state time-wait`, `ip -s link`.
Confidence
88% confidence
Finding
automatically execute

Unvalidated Output Injection

High
Category
Output Handling
Content
Never raises — exceptions are caught and returned as an error string.
    """
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
99% confidence
Finding
subprocess.run( cmd, shell=True, capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.