We ran skill-scanner against the skills in ocp-admin and rh-virt and it found some issues
Safety Scan Summary (click to expand)
Safety Scan Summary
Scan date: 2026-04-29
Gist with full results: https://gist.github.com/Cali0707/21a5654bc5030922dbe9931646df72b4
Overview
| Pack |
Skills Scanned |
Total Findings |
Safe |
Unsafe |
Critical |
High |
Medium |
Low |
Info |
| ocp-admin |
3 |
9 |
2 |
1 |
0 |
2 |
2 |
2 |
3 |
| rh-virt |
10 |
51 |
6 |
4 |
0 |
4 |
15 |
22 |
10 |
| Total |
13 |
60 |
8 |
5 |
0 |
6 |
17 |
24 |
13 |
ocp-admin Findings
cluster-report — UNSAFE (HIGH)
- HIGH — Anti-inspection directives discourage auditing helper scripts (detection evasion)
- HIGH — Unpinned external helper script execution without integrity verification (supply chain risk)
- MEDIUM — Potential data exposure via world-readable temp files in
/tmp
- INFO — Missing license
cluster-creator — Safe (MEDIUM)
- MEDIUM — Potential command/argument injection via untrusted URL in
curl command
- INFO — Missing license
cluster-inventory — Safe (LOW)
- LOW — External MCP server dependency without provenance controls
- LOW — Missing
allowed-tools and CLI fallback may enable unintended tool execution
- INFO — Missing license
rh-virt Findings
vm-snapshot-create — UNSAFE (HIGH)
- HIGH — YAML/manifest injection risk when constructing Kubernetes resource from untrusted inputs
- MEDIUM — Unpinned external MCP server dependency
- MEDIUM — Over-broad generic tool (
resources_create_or_update) enables unintended resource modification
- INFO — Missing license
vm-inventory — UNSAFE (HIGH)
- HIGH — CLI fallback uses untrusted user input without sanitization (command injection risk)
- MEDIUM — Potential indirect prompt injection via external local documentation
- MEDIUM — Conflicting human-in-the-loop guidance may enable unintended command execution
- LOW — Potential compute exhaustion from unbounded all-namespaces listing
- LOW — External MCP server dependency without version pinning
- INFO — Missing license
vm-rebalance — UNSAFE (HIGH)
- HIGH — Unpinned external MCP server dependency (supply chain risk)
- LOW — Broken/ambiguous internal references
- LOW — Optional manifest fields missing
- INFO — Missing license
vm-delete — UNSAFE (HIGH)
- HIGH — Batch deletion weak confirmation enables unintended mass deletions
- MEDIUM — Unpinned external MCP server dependency
- LOW — Missing provenance metadata
- INFO — Missing license
vm-create — Safe (MEDIUM)
- MEDIUM — External MCP server dependency without pinning
- MEDIUM — Guidance to execute shell commands outside declared tool boundaries
- LOW — Security assurance about image sources without enforcement
- LOW — Potential unbounded polling
- LOW — Unspecified
allowed-tools
- INFO — Missing license
vm-lifecycle-manager — Safe (MEDIUM)
- MEDIUM — Unpinned external MCP server dependency
- MEDIUM — Inconsistent confirmation gating may enable unauthorized tool execution
- LOW — Missing license and provenance metadata
- INFO — Missing license
vm-snapshot-list — Safe (MEDIUM)
- MEDIUM — Unpinned external MCP server dependency
- LOW — Missing
allowed-tools guardrail
- INFO — Missing license
vm-snapshot-delete — Safe (MEDIUM)
- MEDIUM — Destructive MCP tool use relies only on instruction-level confirmation
- LOW — External MCP server dependency without provenance/version pinning
- LOW — No
allowed-tools restrictions declared
- LOW — Trigger phrases imply batch deletion capability not implemented
- INFO — Missing license
vm-clone — Safe (MEDIUM)
- MEDIUM — Unpinned external MCP server dependency
- LOW — Risk of cluster resource exhaustion via large/batch cloning
- INFO — Missing license
vm-snapshot-restore — Safe (LOW)
- LOW — Missing manifest metadata
- LOW — Over-broad activation phrasing
- INFO — Missing license
Common Themes
- Missing license — All 13 skills lack a
license field in their manifest
- Unpinned MCP server dependencies — Nearly every skill references external MCP servers without version pinning or integrity verification
- Command/argument injection — Several skills interpolate untrusted input into shell commands without sanitization
- Weak confirmation gates — Destructive operations (delete, batch delete) use generic or instruction-only confirmation rather than strict per-resource typed confirmation
To reproduce:
uv pip install cisco-ai-skill-scanner
export SKILL_SCANNER_LLM_API_KEY=<your openai key>
export SKILL_SCANNER_LLM_MODEL=openai/gpt-5
skill-scanner scan-all rh-virt --use-behavioral --recursive --check-overlap --fail-on-severity medium --use-llm --enable-meta --format json --output safety-rh-virt.json
skill-scanner scan-all ocp-admin --use-behavioral --recursive --check-overlap --fail-on-severity medium --use-llm --enable-meta --format json --output safety-ocp-admin.json
We ran skill-scanner against the skills in
ocp-adminandrh-virtand it found some issuesSafety Scan Summary (click to expand)
Safety Scan Summary
Scan date: 2026-04-29
Gist with full results: https://gist.github.com/Cali0707/21a5654bc5030922dbe9931646df72b4
Overview
ocp-admin Findings
cluster-report — UNSAFE (HIGH)
/tmpcluster-creator — Safe (MEDIUM)
curlcommandcluster-inventory — Safe (LOW)
allowed-toolsand CLI fallback may enable unintended tool executionrh-virt Findings
vm-snapshot-create — UNSAFE (HIGH)
resources_create_or_update) enables unintended resource modificationvm-inventory — UNSAFE (HIGH)
vm-rebalance — UNSAFE (HIGH)
vm-delete — UNSAFE (HIGH)
vm-create — Safe (MEDIUM)
allowed-toolsvm-lifecycle-manager — Safe (MEDIUM)
vm-snapshot-list — Safe (MEDIUM)
allowed-toolsguardrailvm-snapshot-delete — Safe (MEDIUM)
allowed-toolsrestrictions declaredvm-clone — Safe (MEDIUM)
vm-snapshot-restore — Safe (LOW)
Common Themes
licensefield in their manifestTo reproduce: