Back to skill

Security audit

CloudQ

Security checks across malware telemetry and agentic risk

Overview

CloudQ is a Tencent Cloud operations assistant, but its environment check can automatically change cloud IAM role policies, so it needs careful review before installation.

Install only if you are comfortable granting this skill Tencent Cloud credential access and possible IAM changes. Prefer OAuth or a least-privilege subaccount, avoid broad long-lived AK/SK unless you intentionally need role creation and passwordless console links, and review check_env.py behavior before running it in a production account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
A script presented as an environment check performs cloud-side write operations by attaching policies to a role. This violates least surprise and can silently expand privileges in the user's cloud account, especially dangerous in an AIOps/CloudOps skill where users may expect diagnostics to be read-only.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comments and UX imply role checks are only validation, but the code auto-selects roles, writes local configuration, and later mutates role policies. That mismatch is security-relevant because users may run the script expecting a harmless check while it changes account state and trust assumptions.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The cleanup script can delete a cloud-side CAM role, which is a destructive remote action rather than merely local cleanup or advisory behavior. Although it requires user opt-in via --cloud and AK/SK to be present, it expands the tool’s authority beyond the skill’s described advisory/query scope and could cause loss of access or break dependent automations if run unintentionally.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script performs real IAM write operations by creating a CAM role and attaching broad policies, while the skill metadata frames the capability as advisory/query/AIOps assistance. That mismatch is dangerous because users or orchestrators may grant or invoke the skill expecting read-only guidance, but it can instead change account authorization state and establish persistent access paths.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code consumes long-lived Tencent Cloud credentials from environment variables and then uses them for privileged IAM mutations. In a skill presented as advisory/operations assistance, this expands blast radius significantly: any execution context holding those secrets can be used to create roles and attach powerful policies, enabling unauthorized persistence or privilege changes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill goes beyond CloudQ query functionality by rewriting model/output content to include generated passwordless Tencent Cloud console login links. This can silently transform informational responses into privileged navigation actions, increasing the chance of phishing-like redirection, unintended privileged access flows, or unsafe user trust in injected links.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code launches a local helper to create login URLs, which is a privileged capability not necessary for basic CloudQ advisory/Q&A behavior. Even without direct command injection, this expands the trust boundary to another script and enables sensitive side effects from ordinary content processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically generates and appends passwordless console login links without clear user consent or warning. In a cloud-operations context, such links can lead users directly into privileged consoles and normalize clicking opaque high-trust URLs, which is especially risky when content is partially model-generated or remote-controlled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.