中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
vmware-aria
VMware Aria Operations monitoring skill with 27 MCP tools for resources, alerts, capacity planning, anomaly detection, and report automation
This is a well-documented VMware Aria Operations monitoring skill with no executable code present. All declared capabilities are appropriate for the tool's purpose, with strong security practices including audit logging, credential isolation, HTTPS-only communication, and read-heavy operation design.
Skill Namevmware-aria
Duration31.0s
Enginepi
Safe to install
No action required. This skill is safe for use.
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md:allowed-tools:[Bash] → Bash→shell:WRITE
Network READ READ ✓ Aligned Aria Operations API over HTTPS only, documented in Architecture section
Filesystem NONE NONE No file operations declared or present in documentation
2 findings
🔗
Medium External URL 外部 URL
https://aria-ops.example.com/suite-api/api/auth/token/acquire
references/setup-guide.md:219
📧
Info Email 邮箱地址
[email protected]
references/setup-guide.md:136

File Tree

5 files · 33.4 KB · 1009 lines
Markdown 4f · 971L JSON 1f · 38L
├─ 📁 evals
│ └─ 📋 evals.json JSON 38L · 1.3 KB
├─ 📁 references
│ ├─ 📝 capabilities.md Markdown 94L · 4.3 KB
│ ├─ 📝 cli-reference.md Markdown 299L · 6.5 KB
│ └─ 📝 setup-guide.md Markdown 237L · 4.7 KB
└─ 📝 SKILL.md Markdown 341L · 16.7 KB

Security Positives

✓ Documentation is comprehensive and transparent about all 27 tools
✓ Read-heavy design: 21 read-only tools vs 6 write tools
✓ All write operations (acknowledge, cancel, create alert def, etc.) are audit-logged
✓ Credentials stored in environment variables only, never in config files
✓ .env file permissions enforced with chmod 600 requirement
✓ Token-based authentication with 30-minute expiry and automatic refresh
✓ Prompt injection defense via _sanitize() function
✓ HTTPS-only communication with Aria Operations API
✓ Input validation for resource_id, alert_id, and criticality enum values
✓ MCP server uses stdio transport (local-only, no network listener)
✓ Companion vmware-policy skill provides additional audit/policy enforcement