Back to skill

Security audit

NginxWebUI Manager

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it needs Review because it can administer live NginxWebUI routing, delete rules, reload nginx, and persist an admin token in a hard-coded workspace .env file.

Install only if you intentionally want an agent to administer a live NginxWebUI instance through Docker. Use limited credentials, keep the workspace .env file private and out of source control, rotate or remove stored tokens when finished, and manually verify every delete or reload command before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents and relies on powerful capabilities—environment-variable handling, writing `.env`, network/API access, and shelling out via `docker exec`—but does not declare permissions. In this context, the undocumented requirement for Docker socket access is especially sensitive because it effectively grants container-level code execution and can enable host compromise if misused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill auto-loads a workspace `.env` file and imports all key/value pairs into the process environment, which extends its access beyond the stated NginxWebUI management purpose into broad credential access. In a shared workspace, this can unintentionally expose unrelated secrets and makes the skill capable of harvesting sensitive configuration not needed for its core function.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script persists refreshed authentication tokens back into a local workspace `.env` file, creating durable credential storage outside the immediate session. This broadens the skill from API management into credential persistence, increasing exposure to accidental disclosure, reuse by other processes, or compromise through workspace access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill exposes operationally destructive actions such as deleting servers/locations and reloading nginx without any warning about downtime, routing breakage, or production impact. In an agent setting, this increases the chance of unsafe or accidental execution because users are not prompted to confirm configuration-changing operations or validate targets before applying them.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The authentication flow instructs users to store an API token in `.env` without warning about token lifetime, local file exposure, accidental commits, or reuse by other processes. Because this token administers NginxWebUI, compromise could allow unauthorized proxy changes, traffic redirection, or service disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code silently writes the authentication token to a workspace `.env` file without warning the user that credentials are being persisted. This is dangerous because users may reasonably expect a transient login, while the token remains available to other tools, sessions, or users with workspace access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.