proxmox-mcp-tools
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill documentation (SKILL.md) explicitly references
proxmox_lxc_execwhich facilitates command execution within LXC containers via SSH. This is a direct path to RCE if an agent is misdirected. - Credentials Exposure (HIGH): The connection setup requires the agent to access highly sensitive credentials, including Proxmox API tokens (
PROXMOX_TOKEN_VALUE) and the host's SSH private key (~/.ssh/id_rsa). Accessing these paths constitutes high-severity credential exposure. - Privilege Escalation (HIGH): Tools in
proxmox-access-control.mdsuch asproxmox_aclandproxmox_userallow the agent to modify permissions, create new users, and generate API tokens, providing a clear path for an attacker to escalate or maintain privileges. - Indirect Prompt Injection (HIGH): The skill has a high attack surface (Tier: HIGH) because it ingests untrusted data (logs via
proxmox_node_log, file contents viaproxmox_file_restore, and remote content viaproxmox_storage_content) while possessing destructive and executable capabilities (proxmox_lxc_exec,proxmox_node_disk_admin). There are no documented boundary markers or sanitization procedures. - Unverifiable Dependencies (MEDIUM): The skill relies on the external package
@bldg-7/proxmox-mcp, which is not in the trusted source list.
Recommendations
- AI detected serious security threats
Audit Metadata