Security audit

Vmware Harden

Security checks across malware telemetry and agentic risk

Overview

This VMware compliance skill is mostly read-oriented, but its documentation inconsistently describes a remediation apply path that can trigger real infrastructure changes through another tool.

Review before installing in production. This appears to be a compliance auditing skill, not malware, but only install it if you are comfortable with its VMware-family tooling and you can enforce that remediation execution remains explicitly approved through `vmware-pilot`. Do not enable `ANTHROPIC_API_KEY` unless your organization permits compliance findings and infrastructure evidence to be sent to Anthropic.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documentation references `vmware-harden apply --pilot real`, which contradicts the skill metadata stating this skill only suggests remediations and does not execute them directly. In a security/compliance tool, documenting an execution path can cause operators or downstream agents to assume remediation is available and safe, increasing the chance of unintended configuration changes in sensitive VMware environments.

Intent-Code Divergence

Low

Confidence: 76% confidence
Finding: The file claims there are seven top-level command groups, but later mentions an additional `apply` command. While primarily a documentation integrity issue, in an agent-operated environment inconsistent command documentation can misroute automation or cause an agent to invoke unintended capabilities, especially where remediation and audit functions must remain separated.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The documentation says the skill only suggests remediations, but this workflow shows an `apply` action that causes real infrastructure changes via `vmware-pilot`. That mismatch can mislead operators, reviewers, or higher-level agents into treating the skill as read-only when it can in fact initiate write actions through orchestration, increasing the risk of unintended or insufficiently reviewed changes in production VMware environments.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The file creates intent ambiguity by asserting the skill never executes remediations directly while also documenting a built-in `apply` path that initiates those remediations through another skill. Even if execution is indirect, this ambiguity matters because security boundaries and user expectations often depend on whether a tool is effectively read-only or capable of causing state changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The `advise` command sends violation context to an LLM provider when `ANTHROPIC_API_KEY` is set, but the user-facing documentation does not warn that compliance findings and environment metadata may be transmitted to an external service. In VMware compliance auditing, violation data can reveal sensitive infrastructure details, creating confidentiality and policy-compliance risk if users enable the real provider without informed consent.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal