Back to skill

Security audit

AIOZ Storage Skill

Security checks across malware telemetry and agentic risk

Overview

This AIOZ website deployment skill is coherent, but it handles account passwords, seed phrases, and long-lived storage grants in under-contained ways.

Install only if you are comfortable letting the agent act on your AIOZ account and bucket. Use a dedicated or limited bucket, avoid all-buckets and delete permissions, avoid putting passwords or seed phrases in chat, shell history, process arguments, or /tmp files, review any downloaded template before upload, and revoke generated credentials or grants after deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill performs extensive network operations against multiple remote APIs, but its metadata declares only required binaries/OS and does not clearly declare or constrain those network capabilities. This weakens reviewability and increases the chance that users or orchestrators will run a credential-handling workflow without understanding its external communication surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
Although presented as a website deployment skill, the workflow also obtains bearer tokens, requests root ZKeys, derives grants from a 12-word seed phrase, and registers S3 credentials. That broader secret-derivation and credential-minting behavior materially expands the trust boundary and could enable persistent bucket access beyond a simple file upload task.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI explicitly supports an "all-buckets" mode that derives and emits a grant covering every bucket (`eKeysMap.set("*", [ek])`). For a skill described as deploying static websites, this is broader than necessary and violates least privilege, creating a path to mint credentials that expose unrelated stored data if a user supplies a powerful root key.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The tool allows user-supplied permissions including write, list, and delete (`1=Read,2=Write,3=List,4=Delete`) and then encodes them into the grant without policy restriction. In the context of a static website deployment skill, allowing arbitrary destructive or inventory permissions is unnecessarily powerful and can enable data tampering, bucket enumeration, or deletion if the generated grant is misused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill asks for a user's email and password and sends them to a remote API without a prominent warning about credential exposure, storage, logging, or safer alternatives. In an agent setting, this can normalize collection of primary credentials and increase phishing-style risk if the skill or environment is compromised.

Missing User Warnings

High
Confidence
99% confidence
Finding
Requesting a 12-word seed phrase and embedding it in command-line examples/config files is highly sensitive because shell history, process listings, temp files, logs, and transcripts can expose the secret. Possession of that phrase may allow derivation of encryption/grant material and effectively permanent access loss or compromise if leaked.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documented interface encourages passing the secret passphrase via `--passphrase` on the command line. Command-line secrets are commonly exposed through shell history, process listings, CI logs, and audit tooling, which can leak the material used to derive encryption keys and storage grants.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.