Back to skill

Security audit

Coolify

Security checks across malware telemetry and agentic risk

Overview

This Coolify skill is purpose-aligned, but it needs review because it can change or delete real infrastructure and encourages unsafe handling of secrets and private keys.

Install only if you want an agent to operate Coolify resources. Use a least-privilege Coolify token, manually confirm any deploy, stop, restart, delete, or environment-variable change, and do not let the agent read or pass private keys or secrets on the command line unless you explicitly intend that exact action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill is explicitly user-invocable and documents extensive shell-based operations, but it does not declare permissions or safety boundaries for executing those actions. That creates a mismatch between documented capability and governance, increasing the chance an agent will perform infrastructure changes without clear authorization controls or policy enforcement.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises deployment, lifecycle, database, infrastructure, environment-variable, and integration management without warning that many of these actions are state-changing or destructive. In an agent setting, missing confirmation guidance makes accidental outages, misconfiguration, or unauthorized modifications materially more likely.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation includes direct examples for deleting databases, services, servers, projects, environments, and keys with no warnings, confirmation flow, or backup checks. Because these are irreversible or highly disruptive operations against real infrastructure, an agent could translate a casual or ambiguous prompt into destructive production changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill demonstrates passing secrets and private keys on the command line and in configuration examples without any warning about exposure through shell history, process listings, logs, or agent transcripts. This materially increases the risk of credential leakage and compromise of servers, repositories, or deployed applications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The generic API helper sends arbitrary HTTP methods and endpoints, including destructive DELETE requests, with no built-in safety interlocks, confirmation, or allowlist enforcement. In an agent-tooling context, this increases the chance that a mistaken or manipulated invocation can cause irreversible state changes against the Coolify API.

Missing User Warnings

High
Confidence
96% confidence
Finding
The database delete command performs an irreversible DELETE using only a UUID, with no confirmation prompt, dry-run mode, or secondary acknowledgement. In an agent skill, a prompt-injected or mistaken request could destroy production data immediately once the tool is invoked.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
[[ -z "$env_uuid" ]] && { error_response "MissingParameter" "Missing --env-uuid" ""; return 1; }
  
  local response
  response=$(api_call DELETE "/applications/${uuid}/envs/${env_uuid}")
  success_response "$response"
}
Confidence
88% confidence
Finding
DELETE "/applications/${uuid}/envs/${env_uuid}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
[[ -z "$uuid" ]] && { error_response "MissingParameter" "Missing --uuid" ""; return 1; }
  
  local response
  response=$(api_call DELETE "/databases/${uuid}")
  success_response "$response"
}
Confidence
97% confidence
Finding
DELETE "/databases/${uuid}

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.