ClawHub

Vmware Aiops

Security checks across malware telemetry and agentic risk

Overview

This looks like a real VMware automation skill, but it needs review because it can make major infrastructure changes and run commands inside VMs while some approval guidance is inconsistent.

Install only if you intend to let an agent manage VMware infrastructure. Use a dedicated least-privilege vCenter/ESXi account, keep TLS verification on in production, leave webhooks and the daemon disabled unless needed, and require explicit human review before guest command execution, file transfers, VM deletion/power changes, migration, cluster changes, or alarm reset. Review the exact PyPI/GitHub source version before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The capability reference presents conflicting safety guarantees: some write and execution actions are shown as requiring no confirmation, while later text asserts destructive operations cannot bypass double confirmation. In a high-impact VMware operations skill, this inconsistency can cause an agent or operator to treat dangerous actions as pre-approved, leading to unauthorized VM state changes or in-guest code execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The safety section claims all destructive operations require double confirmation, but the earlier tables document several impactful actions without confirmation markers. In this skill context, documentation is part of the control surface for agent behavior, so contradictory guidance weakens human gating and can normalize unsafe execution of VM lifecycle operations.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The reference file instructs agents to use vmware-aiops for diagnostic investigations, including read-heavy analysis, while the skill manifest defines vmware-aiops as an operational VM-management entry point and explicitly says not to use it for read-only queries. This mismatch can route open-ended investigative requests into a higher-privilege skill surface than intended, increasing the chance of unnecessary write-capable tool invocation during diagnosis.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Documenting guest command execution without a prominent warning understates that this capability runs code inside guest operating systems and can change system state, access secrets, or disrupt services. In a VMware automation skill, guest exec is effectively remote code execution on managed workloads, so treating it like a routine operation materially increases abuse risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Guest upload and download enable movement of files into and out of VMs, which can expose sensitive data, introduce malware, or exfiltrate logs and credentials if used without clear privacy and handling constraints. In this context, these are not benign file operations but privileged data-plane actions across managed infrastructure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Guest command execution and file transfer into VMs materially expand the attack surface because they enable arbitrary code execution and privileged file access inside guest systems. In this skill's context, these operations are especially sensitive since they may be used by an automation agent at scale, and the documentation normalizes root-level examples without guardrails or warnings.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger conditions are broad enough to capture many ordinary 'why/diagnose/debug' requests without tightly constraining scope, tool class, or privilege level. In the context of a skill adjacent to operational VMware actions, this can cause over-selection of an investigation workflow and, combined with skill-routing ambiguity, may steer agents toward an inappropriate or overly privileged path.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal