ClawHub

Vmware Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only VMware monitoring skill, with optional user-enabled webhooks and a diagnostic workflow that users should keep scoped to VMware and read-first investigation.

Install only if you intend to let the agent read VMware inventory, alarms, events, and VM details using your configured vCenter or ESXi credentials. Keep webhook notifications disabled unless you are comfortable sending summarized monitoring metadata to the configured Slack, Discord, or HTTP endpoint, and require explicit approval before any companion remediation skill performs changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This document materially broadens a nominally read-only VMware monitoring skill into an open-ended investigation framework that directs causal analysis and multi-step diagnostic behavior beyond simple state retrieval. That scope expansion is dangerous because it can cause an orchestrator or agent to route ambiguous 'investigate/diagnose' requests into this skill, increasing the chance of unauthorized capability creep, policy bypass, or unsafe delegation into other tools under the guise of diagnosis.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The protocol explicitly instructs chaining into external skills, including a remediation-capable skill, and says write tools may be invoked once criteria are satisfied and the user approves a remediation plan. In a skill advertised as code-level read-only, this creates a dangerous authority expansion path where the document can influence an agent to transition from safe observation into privileged or destructive actions, undermining the safety boundary implied by the skill metadata.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims 'No data is sent to third-party services' while also permitting Slack, Discord, or arbitrary HTTP webhooks. That contradiction can mislead operators into enabling the tool under false assumptions about egress and data handling, increasing the risk of unintended information disclosure to external services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough to capture generic requests like 'investigate', 'diagnose', or 'why is X slow' without tightly anchoring them to VMware read-only monitoring tasks. This can cause over-selection of the skill for ambiguous prompts, pulling the agent into workflows the skill was not meant to own and compounding the scope-expansion and cross-skill delegation risks elsewhere in the file.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal