中文 EN

扫描报告

扫描新文件

可信 — 风险评分 0/100
上次扫描:2 天前 重新扫描
0 /100
vmware-nsx
VMware NSX networking management — segments, gateways, NAT, routing, and IP pools with 31 MCP tools
vmware-nsx is a well-documented VMware NSX networking management skill that consists entirely of documentation (SKILL.md, references, evals) — no executable code is present in the skill bundle. The declared capabilities, security controls, and scope boundaries are clearly documented with no hidden behavior.
技能名称vmware-nsx
分析耗时43.6s
引擎pi
可以安装
Approve for use. No code-level security issues were found in the skill bundle. For production deployment, verify the vmware-nsx-mgmt package integrity before installation.

安全发现 4 项

严重性 安全发现 位置
提示
Skill contains only documentation — no executable code
The skill bundle (5 files, 54KB) consists entirely of Markdown documentation and one evals JSON. The actual implementation is in the separately-installed vmware-nsx-mgmt package. This limits the analyzable attack surface to declared behavior in docs.
Skill bundle contains only docs; code lives in vmware-nsx-mgmt package
→ Verify the vmware-nsx-mgmt package integrity before installation
 SKILL.md:1
提示
Audit logging to local SQLite database
All operations are logged to ~/.vmware/audit.db (SQLite) via vmware-policy. This is disclosed and scoped. No exfiltration behavior.
All operations logged to ~/.vmware/audit.db (SQLite, framework-agnostic)
→ No action needed — audit logging is a positive security feature
 SKILL.md:160
提示
Optional webhook notification disclosed
The setup-guide.md mentions an optional notify.webhook_url in config.yaml for notifications. This is user-configured and requires explicit opt-in.
notify: webhook_url: ""
→ Ensure webhook_url is a trusted endpoint if configured
 references/setup-guide.md:55
提示
verify_ssl defaults to false
The default config has verify_ssl: false for targets. While documented as a setting users can enable, it presents SSL stripping risk if blindly copied.
verify_ssl: false
→ Production deployments should set verify_ssl: true with valid CA certificates
 references/setup-guide.md:50
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file system access in skill docs
网络访问 READ READ ✓ 一致 HTTPS API calls to NSX Manager only, declared in SKILL.md
命令执行 WRITE WRITE ✓ 一致 Bash declared for CLI commands; all invocations documented (doctor, segment, gat…
环境变量 READ READ ✓ 一致 Environment variables for credentials documented and scoped to VMWARE_* vars
技能调用 NONE NONE No skill-to-skill invocation described
剪贴板 NONE NONE Not used
浏览器 NONE NONE Not used
数据库 NONE READ ✓ 一致 Audit logging to ~/.vmware-nsx/audit.log and SQLite audit.db via vmware-policy d…

目录结构

5 文件 · 54.3 KB · 1595 行
Markdown 4f · 1557L JSON 1f · 38L
├─ 📁 evals
│ └─ 📋 evals.json JSON 38L · 1.3 KB
├─ 📁 references
│ ├─ 📝 capabilities.md Markdown 198L · 9.8 KB
│ ├─ 📝 cli-reference.md Markdown 637L · 16.7 KB
│ └─ 📝 setup-guide.md Markdown 401L · 10.8 KB
└─ 📝 SKILL.md Markdown 321L · 15.7 KB

依赖分析 2 项

包名版本来源已知漏洞备注
vmware-nsx-mgmt * uv tool install External package not analyzed — verify integrity before install
vmware-policy * auto-installed dependency Audit/policy framework dependency

安全亮点

✓ No executable code in the skill bundle — pure documentation enables transparent review
✓ Comprehensive security controls documented: audit logging, double confirmation, dry-run mode
✓ Well-defined scope boundaries with explicit exclusions (no DFW, no VM lifecycle, no storage ops)
✓ Credential handling via environment variables only — passwords never stored in config
✓ Input validation for all user-supplied parameters (CIDR, IP, VLAN, port numbers)
✓ Prompt injection defense via _sanitize() function described
✓ Dependency checks prevent accidental cascade failures on delete operations
✓ Least-privilege NSX role recommendations provided (network_engineer vs enterprise_admin)
✓ Certificate-based authentication supported as alternative to passwords
✓ No obfuscation, no base64-encoded payloads, no suspicious network IOCs