ClawHub

kubevpn

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only KubeVPN skill whose powerful Kubernetes networking commands are disclosed and aligned with its stated debugging purpose.

Install only if you trust KubeVPN and are authorized to change the target cluster. Prefer non-production namespaces, header-scoped routing, and least-privilege kube contexts; avoid inline tokens, passwords, or kubeconfig JSON in command history or logs; confirm context, namespace, workload, and cleanup plan before using proxy, run, sync, reset, or uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents traffic interception and workload-altering operations such as proxying, cloning, and injected containers, but does not prominently warn that these actions can affect live service routing, mutate cluster resources, or disrupt other users. In a Kubernetes production-like environment, omitting those cautions increases the chance of unsafe use and unintended service impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes automatic deployment of a traffic-manager and cluster traffic interception without prominently warning that running the command changes cluster state and can affect workload traffic paths. In a tool that modifies live Kubernetes networking, omission of explicit impact and consent warnings can lead operators to unintentionally alter production or shared environments.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section states that a sidecar uses iptables to intercept all inbound traffic and that the original container receives no traffic, but it does not frame this as a high-impact operational risk. In shared or production clusters, such interception can effectively reroute or deny service to the original workload, making accidental misuse dangerous even if the feature is intentional.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Local run mode copies pod environment variables and volume mounts into a local Docker container, which can expose secrets, tokens, certificates, and application data onto a developer workstation. Without explicit warning and handling guidance, users may unknowingly replicate sensitive production material outside the cluster's security boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes a highly destructive `uninstall` capability that removes cluster resources and local Docker/network/DNS state, but it does not prominently warn about blast radius, prerequisites, or recovery implications. In an agent skill context, this increases the chance an automated assistant may suggest or invoke the command inappropriately, causing service disruption or irreversible environment cleanup.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `proxy` section states that traffic interception can capture all inbound traffic, including L4/TCP/UDP, but does not clearly warn that this can divert production or shared-environment traffic away from the original workload. In a skill used by an agent, omission of such warnings makes accidental service impact more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `run` command explicitly imports pod environment variables, downloads mounted volumes, and defaults to `--privileged=true`, which can expose sensitive secrets and create a powerful local execution environment. Without a strong warning, users or agents may unintentionally materialize production secrets and privileged workloads on a developer machine.

Credential Access

High
Category
Privilege Escalation
Content
- --namespace=test
---
Name: all-in-one
Description: inline kubeconfig via JSON
Flags:
- connect
- --kubeconfig-json={"apiVersion":"v1","clusters":[...]}
Confidence
86% confidence
Finding
kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
| `--kubeconfig` | Path to kubeconfig file |
| `--context` | Kubeconfig context to use |
| `-n`, `--namespace` | Namespace scope |
| `--cluster` | Kubeconfig cluster to use |
| `--user` | Kubeconfig user to use |
| `--server` / `-s` | Kubernetes API server address |
| `--token` | Bearer token for API server auth |
Confidence
83% confidence
Finding
Kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
| `--ssh-keyfile` | Path to SSH private key file |
| `--ssh-alias` | SSH config alias from `~/.ssh/config` |
| `--ssh-jump` | Inline ProxyJump config string eg: `--ssh-addr jump.example.org --ssh-username user --gssapi-password xxx` |
| `--remote-kubeconfig` | Path to kubeconfig on remote SSH server |
| `--gssapi-keytab` | GSSAPI keytab file path |
| `--gssapi-cache` | GSSAPI cache file path (from `kinit -c`) |
| `--gssapi-password` | GSSAPI password |
Confidence
89% confidence
Finding
kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
| `--ssh-keyfile` | Path to SSH private key file |
| `--ssh-alias` | SSH config alias from `~/.ssh/config` |
| `--ssh-jump` | Inline ProxyJump config string eg: `--ssh-addr jump.example.org --ssh-username user --gssapi-password xxx` |
| `--remote-kubeconfig` | Path to kubeconfig on remote SSH server |
| `--gssapi-keytab` | GSSAPI keytab file path |
| `--gssapi-cache` | GSSAPI cache file path (from `kinit -c`) |
| `--gssapi-password` | GSSAPI password |
Confidence
89% confidence
Finding
kubeconfig

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal