Back to skill

Security audit

Juxingyi Configure

Security checks across malware telemetry and agentic risk

Overview

This is a coherent operations guide, but it publicly includes production infrastructure details and root-level deployment/database commands that need careful review before installation.

Install only if this is intended for a trusted, private operational context. Before broader use, redact the production IP, hostnames, and paths, replace root SSH examples with scoped placeholders, and add dry-run, backup, approval, and rollback steps around deployment and database commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The document includes concrete privileged operational procedures such as SSH as root, rsync/scp to production, Docker lifecycle control, and direct SQL execution against the live database. Even though presented as ops guidance, embedding these actions in a broadly accessible skill materially lowers the barrier to unauthorized or destructive administration if the skill is exposed to untrusted users or an agent follows it blindly.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill exposes sensitive infrastructure details including a public server IP, internal service topology, hostnames, localhost bindings, and deployment locations. This information enables reconnaissance, targeting, and chaining with other weaknesses by giving an attacker precise knowledge of production assets and administrative paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The deployment commands use destructive sync behavior such as rsync --delete against remote production directories without prominent warnings, safeguards, or rollback steps. This creates a realistic risk of accidental data loss, service breakage, or overwriting of production content if executed in the wrong directory or with incorrect paths.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.