Back to skill

Security audit

Nginx Config

Security checks across malware telemetry and agentic risk

Overview

This skill mostly provides Nginx config generation, but it also includes an unrelated system-operations script that reads host state and quietly records command history.

Review before installing. Use only if you are comfortable with the extra system-operations helper reading local host/log information and keeping a local command-argument history. For a narrower install, prefer the purpose-aligned scripts/nginx.sh generator and avoid exposing scripts/script.sh as nginx-config unless it is renamed, documented, and logging is controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script is presented as an nginx configuration tool, but its behavior is a generic system inspection and operations helper that collects host information and suggests operational commands. This mismatch can mislead users into granting trust or execution in contexts where they would not expect system-wide monitoring behavior, increasing the risk of deceptive use and inappropriate deployment.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger text is broad and underspecified, so the skill may activate on vague mentions of 'nginx config' without clear user intent or scope boundaries. In an agent setting, ambiguous activation can cause the wrong skill to run and generate or suggest sensitive server configuration changes that the user did not explicitly request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The logging helper writes command names and user-supplied arguments to a persistent history file under the user's data directory without any notice, consent, retention policy, or redaction. Arguments may contain hostnames, paths, service names, thresholds, or other operationally sensitive data, creating an unintended local audit trail that could expose sensitive information to other processes or users with access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.