ClawHub

Vllm Plugin Fl Setup Flagos

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate vLLM setup skill, but it gives an agent broad installation authority and includes under-scoped filesystem and proxy-handling instructions that users should review first.

Install only in an environment where you are comfortable letting an agent clone repositories, install Python packages, build native components, and change shell environment variables. Provide an explicit local model path for testing instead of allowing a whole-machine search, and do not paste proxy URLs containing usernames, passwords, or tokens into the agent chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs a filesystem-wide search using `find / -maxdepth 5 ...` based on user-provided input. For an installation/setup skill, searching large portions of the host filesystem is broader than necessary and can reveal sensitive directory names, mounted volumes, or model locations unrelated to the task, especially on shared or production systems.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough that the skill could activate in contexts where the user did not clearly intend a full environment setup, leading an agent to suggest or perform cloning, package installation, and backend configuration. In a skill that modifies the system and pulls code from external repositories, ambiguous invocation materially increases the risk of unintended execution and supply-chain exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes cloning repositories, installing packages, building native components, and exporting environment variables, but does not prominently warn that these actions modify the host environment and require outbound network access. In an automated agent setting, lack of explicit warnings and consent boundaries can cause unexpected system changes and increase the chance of executing risky installation steps without informed user approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions tell the operator to request and configure `http_proxy` / `https_proxy` values without warning that proxy URLs may embed usernames, passwords, or internal network details. This creates a risk of collecting, echoing, logging, or mishandling sensitive credentials during routine setup.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The quick-test flow recommends `find / ...` without warning that it scans broadly and may disclose directory names or model locations. Even if intended for convenience, this can expose metadata about the system layout and data inventory beyond what is needed to verify installation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting section repeats guidance to ask for proxy settings and configure them, again without warning that these values may include credentials or sensitive internal routing information. Repetition in troubleshooting increases the chance that operators will casually collect or reveal secrets while trying to fix connectivity issues.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal