Is 0xfratex/virtualboxmanager safe?

https://github.com/openclaw/skills/tree/main/skills/0xfratex/virtualboxmanager

88
SAFE

This skill is a legitimate VirtualBox management reference providing comprehensive VBoxManage CLI documentation and a TypeScript utility library. No prompt injection, data exfiltration, or malicious behavior was detected during installation monitoring. The primary concerns are a command injection vulnerability in the TypeScript utility's shell command construction and the inherently broad VM management capabilities that could be misused if the agent is manipulated.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Command injection in vboxCommand utility -20

The vboxCommand function in virtualbox-utils.ts constructs shell commands via template literal string concatenation and passes them to child_process.exec, which spawns a shell. Although VM names are double-quoted in the command string, crafted input containing shell metacharacters (e.g., backticks, $()) could escape the quotes and execute arbitrary commands.

LOW Environment variable binary override -8

The VBOXMANAGE_PATH environment variable allows overriding the VBoxManage binary path. If an attacker controls environment variables, they could redirect execution to a malicious binary.

LOW Host filesystem exposure via shared folders and guest control -10

The skill documents VBoxManage sharedfolder and guestcontrol commands that allow mounting arbitrary host directories into VMs and copying files between host and guest. An agent following these instructions could inadvertently or intentionally expose sensitive host files to a VM with network access.

LOW Plaintext credentials in example code -10

Guest control examples include plaintext username/password arguments that could be logged by the agent, stored in conversation history, or captured in shell history. This could normalize credential exposure patterns.

INFO Broad VM management surface area -5

The skill provides comprehensive VM lifecycle control including creation, deletion, networking, and guest execution. While all commands are legitimate VBoxManage operations, the breadth of capability means a compromised or manipulated agent could cause significant damage (deleting VMs, exposing networks, modifying production VMs).

INFO Excessively long SKILL.md -5

The SKILL.md is very large (~700+ lines), which consumes significant agent context window. While not malicious, this is a resource concern and could crowd out other instructions.