中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
vmware-nsx-security
VMware NSX DFW microsegmentation and security — 20 MCP tools for distributed firewall, security groups, VM tags, Traceflow, and IDPS
This is a well-documented VMware NSX security management skill with no malicious behavior, no hidden functionality, and comprehensive safety controls covering audit logging, input validation, credential handling, and dry-run modes.
Skill Namevmware-nsx-security
Duration35.0s
Enginepi
Safe to install
Approve for use. The skill is a legitimate infrastructure management tool with appropriate documentation, audit controls, and no high-risk indicators.

Findings 1 items

Severity Finding Location
Low
Bash allowed-tools declaration is broad
The 'Bash' tool is declared with no version pinning on the vmware-nsx-security package. The tool installs via 'uv tool install vmware-nsx-security' without a version constraint.
installer: kind: uv, package: vmware-nsx-security
→ Pin the installer to a specific version: '[email protected]' to prevent supply-chain substitution
 SKILL.md:9
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned Reads/writes config.yaml, audit.db, .env (all explicitly documented)
Network READ READ ✓ Aligned HTTPS REST calls to NSX Manager on port 443 only (documented in SKILL.md archite…
Shell WRITE WRITE ✓ Aligned Bash tool scoped to CLI invocation (vmware-nsx-security doctor, policy list, etc…
Environment READ READ ✓ Aligned Reads VMWARE_NSX_SECURITY_*_PASSWORD and VMWARE_NSX_SECURITY_CONFIG — explicitly…

File Tree

5 files · 27.2 KB · 825 lines
Markdown 4f · 787L JSON 1f · 38L
├─ 📁 evals
│ └─ 📋 evals.json JSON 38L · 1.3 KB
├─ 📁 references
│ ├─ 📝 capabilities.md Markdown 101L · 4.3 KB
│ ├─ 📝 cli-reference.md Markdown 209L · 4.7 KB
│ └─ 📝 setup-guide.md Markdown 175L · 3.7 KB
└─ 📝 SKILL.md Markdown 302L · 13.2 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
vmware-nsx-security * uv tool install No Version not pinned in SKILL.md installer declaration
vmware-policy * auto-installed dependency No Companion skill for audit logging, auto-installed

Security Positives

✓ All 20 MCP tools and CLI commands fully documented with descriptions
✓ Comprehensive audit logging to ~/.vmware/audit.db via vmware-policy framework
✓ Credential safety: passwords loaded only from environment variables, never from config.yaml
✓ Input validation with safe character set enforcement documented
✓ Prompt injection defense via _sanitize() function documented
✓ Dry-run mode available for all write operations
✓ Double confirmation required for destructive operations (delete)
✓ .env file permissions validated (chmod 600) by doctor command
✓ No high-risk indicators found: no base64, no eval, no direct IP exfil, no credential harvesting
✓ No hidden functionality — all operations match documentation
✓ MCP server uses stdio transport only (local, no network listener)
✓ All NSX API calls over HTTPS port 443 to declared targets