Skip to content

Address security scanner findings in ocp-admin and rh-virt skills #65

Description

@Cali0707

We ran skill-scanner against the skills in ocp-admin and rh-virt and it found some issues

Safety Scan Summary (click to expand)

Safety Scan Summary

Scan date: 2026-04-29
Gist with full results: https://gist.github.com/Cali0707/21a5654bc5030922dbe9931646df72b4

Overview

Pack Skills Scanned Total Findings Safe Unsafe Critical High Medium Low Info
ocp-admin 3 9 2 1 0 2 2 2 3
rh-virt 10 51 6 4 0 4 15 22 10
Total 13 60 8 5 0 6 17 24 13

ocp-admin Findings

cluster-report — UNSAFE (HIGH)

  • HIGH — Anti-inspection directives discourage auditing helper scripts (detection evasion)
  • HIGH — Unpinned external helper script execution without integrity verification (supply chain risk)
  • MEDIUM — Potential data exposure via world-readable temp files in /tmp
  • INFO — Missing license

cluster-creator — Safe (MEDIUM)

  • MEDIUM — Potential command/argument injection via untrusted URL in curl command
  • INFO — Missing license

cluster-inventory — Safe (LOW)

  • LOW — External MCP server dependency without provenance controls
  • LOW — Missing allowed-tools and CLI fallback may enable unintended tool execution
  • INFO — Missing license

rh-virt Findings

vm-snapshot-create — UNSAFE (HIGH)

  • HIGH — YAML/manifest injection risk when constructing Kubernetes resource from untrusted inputs
  • MEDIUM — Unpinned external MCP server dependency
  • MEDIUM — Over-broad generic tool (resources_create_or_update) enables unintended resource modification
  • INFO — Missing license

vm-inventory — UNSAFE (HIGH)

  • HIGH — CLI fallback uses untrusted user input without sanitization (command injection risk)
  • MEDIUM — Potential indirect prompt injection via external local documentation
  • MEDIUM — Conflicting human-in-the-loop guidance may enable unintended command execution
  • LOW — Potential compute exhaustion from unbounded all-namespaces listing
  • LOW — External MCP server dependency without version pinning
  • INFO — Missing license

vm-rebalance — UNSAFE (HIGH)

  • HIGH — Unpinned external MCP server dependency (supply chain risk)
  • LOW — Broken/ambiguous internal references
  • LOW — Optional manifest fields missing
  • INFO — Missing license

vm-delete — UNSAFE (HIGH)

  • HIGH — Batch deletion weak confirmation enables unintended mass deletions
  • MEDIUM — Unpinned external MCP server dependency
  • LOW — Missing provenance metadata
  • INFO — Missing license

vm-create — Safe (MEDIUM)

  • MEDIUM — External MCP server dependency without pinning
  • MEDIUM — Guidance to execute shell commands outside declared tool boundaries
  • LOW — Security assurance about image sources without enforcement
  • LOW — Potential unbounded polling
  • LOW — Unspecified allowed-tools
  • INFO — Missing license

vm-lifecycle-manager — Safe (MEDIUM)

  • MEDIUM — Unpinned external MCP server dependency
  • MEDIUM — Inconsistent confirmation gating may enable unauthorized tool execution
  • LOW — Missing license and provenance metadata
  • INFO — Missing license

vm-snapshot-list — Safe (MEDIUM)

  • MEDIUM — Unpinned external MCP server dependency
  • LOW — Missing allowed-tools guardrail
  • INFO — Missing license

vm-snapshot-delete — Safe (MEDIUM)

  • MEDIUM — Destructive MCP tool use relies only on instruction-level confirmation
  • LOW — External MCP server dependency without provenance/version pinning
  • LOW — No allowed-tools restrictions declared
  • LOW — Trigger phrases imply batch deletion capability not implemented
  • INFO — Missing license

vm-clone — Safe (MEDIUM)

  • MEDIUM — Unpinned external MCP server dependency
  • LOW — Risk of cluster resource exhaustion via large/batch cloning
  • INFO — Missing license

vm-snapshot-restore — Safe (LOW)

  • LOW — Missing manifest metadata
  • LOW — Over-broad activation phrasing
  • INFO — Missing license

Common Themes

  1. Missing license — All 13 skills lack a license field in their manifest
  2. Unpinned MCP server dependencies — Nearly every skill references external MCP servers without version pinning or integrity verification
  3. Command/argument injection — Several skills interpolate untrusted input into shell commands without sanitization
  4. Weak confirmation gates — Destructive operations (delete, batch delete) use generic or instruction-only confirmation rather than strict per-resource typed confirmation

To reproduce:

uv pip install cisco-ai-skill-scanner

export SKILL_SCANNER_LLM_API_KEY=<your openai key>
export SKILL_SCANNER_LLM_MODEL=openai/gpt-5

skill-scanner scan-all rh-virt --use-behavioral --recursive --check-overlap --fail-on-severity medium --use-llm --enable-meta --format json --output safety-rh-virt.json

skill-scanner scan-all ocp-admin --use-behavioral --recursive --check-overlap --fail-on-severity medium --use-llm --enable-meta --format json --output safety-ocp-admin.json

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions