Zstack Mcp

Security checks across malware telemetry and agentic risk

Overview

This ZStack MCP skill is purpose-aligned, but it stores and ships cloud credentials and can be switched into broad write-capable cloud API access, so it needs careful review before installation.

Install only with a dedicated least-privilege read-only ZStack account or short-lived token. Delete the bundled zstack.env values before use, rotate the included password if it could be real, keep ZSTACK_ALLOW_ALL_API disabled unless you intentionally want supervised write access, protect or remove mcporter-stored credentials after use, and verify the external zstack-mcp-server package and ZStack endpoint before connecting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation instructs users to run shell commands, install packages, read/write local config files, and communicate with a remote ZStack API, yet it declares no permissions. This creates a transparency and governance gap: an agent or platform may treat the skill as lower-risk than it really is, despite it handling credentials, modifying configuration, and enabling broad API access.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script writes the ZStack username, plaintext password, and a live session token into a local env file, creating reusable credentials on disk. In the context of an MCP skill that can access 2000+ cloud API endpoints, compromise of that file could allow broad account access and undermines the claimed read-only safety posture.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The comment indicates write access can be enabled with a simple configuration toggle, which directly contradicts the skill's description of read-only safety. That mismatch is dangerous because users or downstream agents may trust the integration as non-destructive while the actual configuration model permits privileged write operations.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script writes either a reusable SessionID or raw account/password credentials into the mcporter JSON configuration on disk, even though the skill description emphasizes read-only safety. This is dangerous because those credentials can typically be reused outside the MCP wrapper and may permit write-capable API access if the account itself has broader ZStack permissions.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The script explicitly instructs users to enable all API operations by adding ZSTACK_ALLOW_ALL_API=true, which undermines the stated read-only safety posture of the skill. In this context, exposing a simple path to write access is risky because this MCP server fronts 2000+ cloud APIs, so a misconfigured or over-privileged deployment could allow destructive infrastructure changes.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises both write-capable API execution and credential-based authentication, but does not clearly warn users that these operations can modify or disrupt live cloud resources. In the context of a ZStack integration exposing 2000+ APIs, this omission increases the chance that a user or agent invokes destructive actions under the assumption that the skill is generally safe because it mentions a default read-only mode.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Saving plaintext credentials and a session token without an explicit sensitivity warning or protective controls materially increases the likelihood of accidental exposure through backups, shell use, source control, or local compromise. Because these values grant access to a cloud control plane, disclosure could lead to unauthorized infrastructure access or modification.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Python block serializes ZStack SessionID or username/password directly into a JSON config file without any explicit disclosure that secrets will be stored on disk. This increases the chance of accidental credential exposure through backups, logs, source control, shared home directories, or other local compromise.

External Transmission

Medium

Category: Data Exfiltration
Content: # 4. 手动测试 ZStack API 连接 source ~/clawd/skills/zstack-mcp/config/zstack.env curl -X POST "$ZSTACK_API_URL/zstack/api" \ -H "Content-Type: application/json" \ -d "{\"org.zstack.header.identity.APILoginMessage\":{\"accountName\":\"$ZSTACK_ACCOUNT\",\"password\":\"$ZSTACK_PASSWORD\"}}" ```
Confidence: 91% confidence
Finding: curl -X POST "$ZSTACK_API_URL/zstack/api" \ -H "Content-Type: application/json" \ -d

Credential Access

High

Category: Privilege Escalation
Content: mcporter daemon status # 4. 手动测试 ZStack API 连接 source ~/clawd/skills/zstack-mcp/config/zstack.env curl -X POST "$ZSTACK_API_URL/zstack/api" \ -H "Content-Type: application/json" \ -d "{\"org.zstack.header.identity.APILoginMessage\":{\"accountName\":\"$ZSTACK_ACCOUNT\",\"password\":\"$ZSTACK_PASSWORD\"}}"
Confidence: 95% confidence
Finding: .env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal