Back to skill

Security audit

Nginx Proxy Manager

Security checks across malware telemetry and agentic risk

Overview

This Nginx Proxy Manager helper is coherent, but it can make live proxy changes and delete hosts while caching an admin token with weak guardrails.

Install only in a trusted environment where NPM admin credentials and /root/.npm-token.json are protected. Review every generated API request before it runs, avoid using delete on production hosts without an independent backup and rollback plan, and remove or rotate the cached token when the skill is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly requires sensitive capabilities including environment access for admin credentials, file interaction via local scripts, and network access to an administrative REST API, yet it declares no permissions. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill can access before use, increasing the risk of over-privileged deployment and unintended credential or infrastructure exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill around managing hosts, certificates, access lists, and status checks, but the documented commands also allow deleting proxy hosts. Undisclosed destructive behavior is dangerous because users may invoke or approve the skill under the assumption that it only performs additive or administrative actions, leading to outages or accidental loss of routing configuration.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a destructive delete capability that is not described in the skill metadata, so users or higher-level agents may invoke behavior they were not informed existed. Hidden destructive functionality increases the chance of accidental or unauthorized infrastructure changes, especially in autonomous workflows.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow documents state-changing operations like adding or modifying proxy hosts and SSL settings without warning about outage risk, misrouting, or certificate-related service disruption. In the context of reverse proxy administration, even legitimate changes can immediately affect production traffic, so omission of cautions materially increases operational risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to configure NPM admin email and password in environment variables and use them against the REST API, but provides no guidance on secure storage, rotation, least privilege, or log hygiene. Because these are administrative credentials for infrastructure management, poor handling could enable full compromise of proxy configuration, certificate management, and exposed services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication token is persisted to /root/.npm-token.json without any permission hardening, encryption, or user disclosure. If the host is multi-user, containerized with shared volumes, or later compromised, the cached bearer token can be reused to administer the NPM instance without the original password.

Missing User Warnings

High
Confidence
97% confidence
Finding
Deleting proxy hosts is a destructive action, yet the script performs it immediately with no confirmation, dry-run mode, or safety interlock. In an agentic context, a mistaken argument, prompt injection, or automation error could irreversibly remove production routing and cause outage or service exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.