ClawHub

tsa-risk

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud Smart Advisor skill is related to its stated purpose, but it can make high-impact cloud IAM changes and contains permission and TLS-safety inconsistencies that need review before installation.

Install only after reviewing the Tencent Cloud permissions. Use a dedicated least-privilege sub-account or role, avoid persisting high-privilege AK/SK in shell startup files, treat generated console login URLs as temporary credentials, and do not run role creation or cleanup --cloud unless you explicitly intend to change CAM state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented primarily as a read/query tool, but the documented behavior includes privileged IAM/CAM mutations, cloud-side deletion, STS role assumption, passwordless login URL generation, local config management, and update checks. This expands the trust boundary significantly and can lead users to authorize far more powerful actions than the description suggests.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The role-creation documentation is internally inconsistent: one section says only QcloudAdvisorFullAccess is attached and characterizes it as read-only, while another says both QcloudTAGFullAccess and QcloudAdvisorFullAccess are attached with full read/write scope. Such contradictions can cause users to consent under a false understanding of granted privileges.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims secrets will not be transmitted over the network, but the skill necessarily uses AK/SK to authenticate requests to Tencent Cloud APIs, which involves transmitting authentication material or derived signatures over HTTPS. Misstating this can mislead users about credential exposure and operational risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill alternately describes the Advisor permission as read-only and as full read/write, which is a material inconsistency about privilege scope. In a cloud IAM context, inaccurate privilege descriptions undermine informed consent and can result in over-privileged role creation.

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The skill is described as a risk-inspection/query tool, but this environment checker also validates and operationalizes console-login role setup, including preparing local state for passwordless login flows. Expanding from read/query behavior into identity and access workflow support increases privilege-related risk and can surprise users who do not expect IAM-adjacent actions from this skill.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header claims the script is read-only and does not modify configuration, but the code later writes ~/.tsa-risk/config.json when it discovers an existing role. Misrepresenting side effects is dangerous because users and orchestrators may grant trust or automate execution under the assumption that the script is non-mutating.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file is a destructive cleanup utility that deletes local configuration, cache files, and optionally a cloud CAM role, which exceeds the described read/query-oriented Smart Advisor inspection purpose. Even with prompts and flags, bundling deletion capabilities into a skill focused on architecture inspection increases the risk of unintended data loss or misuse if invoked by an agent or user who expects only read-only behavior.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script can delete a cloud IAM/CAM role named `advisor`, which is a privileged destructive action not justified by the skill's stated inspection purpose. If run with valid credentials, this could remove an in-use role and break cloud access workflows or security posture, especially because the role name is hardcoded and not verified as uniquely owned by this tool.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script’s documented purpose is architecture risk inspection, but it explicitly performs IAM write operations by creating a CAM role and attaching policies. That is a privilege-modifying action outside a read-only inspection scope, which increases the chance of unauthorized or unexpected access changes if invoked by an agent or user who expects a non-mutating tool.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script creates a role with ConsoleLogin enabled and attaches broad policies (QcloudTAGFullAccess and QcloudAdvisorFullAccess), materially expanding access in the tenant. For a risk-inspection tool, creating a console-login-capable role with full-access policies is excessive and could be abused for privilege expansion or persistent access beyond the stated need.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This script explicitly generates Tencent Cloud console single-sign-on URLs using STS credentials, which is broader capability than the skill description of advisor architecture inspection. Even if intended for convenience, console login enables interactive access and potentially actions outside the narrowly stated read-only inspection scope, increasing the blast radius if the skill is abused or misconfigured.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script consumes long-lived SecretId/SecretKey values from environment variables and uses them to mint temporary console access. While common in automation, this is sensitive because compromise of the execution environment or accidental disclosure of process environment data can lead to broader cloud account access than the advisor-only use case requires.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The setup script is presented as a risk-inspection helper but can create a CAM role and attach policies, which is a privileged write operation that changes the user's cloud IAM state. Even though it prompts for confirmation, this expands the trust and attack surface beyond a read-oriented advisory tool and could normalize unnecessary privilege changes during setup.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script hardcodes broad policies `QcloudTAGFullAccess` and `QcloudAdvisorFullAccess` for a tool whose stated purpose is architecture risk inspection. Granting full-access roles where read-only permissions may suffice increases blast radius if the role is later misused, assumed by another workflow, or compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
When certifi is unavailable, the helper creates an SSL context with hostname checking disabled and certificate verification turned off. This permits man-in-the-middle interception of signed Tencent Cloud API traffic, exposing sensitive request/response data and allowing an attacker on the network path to spoof the remote endpoint.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The wrapper is a generic signed Tencent Cloud API client because it accepts arbitrary service, host, and action values. In a skill advertised as an Advisor architecture-risk inspection tool, this broad capability expands it into a general cloud control-plane caller, which can be abused to invoke unintended APIs using the user's credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to permanently store long-lived cloud credentials in shell startup files or user environment settings. Persisting AK/SK in broadly accessible local config increases exposure to local compromise, accidental disclosure, shell history/config sync leakage, and long-term credential misuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
When certifi is unavailable, the code disables hostname verification and certificate validation entirely. This allows a man-in-the-middle attacker on the network path to intercept or modify the STS request and response, exposing temporary credentials or causing the script to trust attacker-controlled endpoints.

Missing User Warnings

High
Confidence
99% confidence
Finding
TLS certificate verification is silently disabled without notifying the user, so insecure transport may occur transparently in normal operation. Silent downgrade is especially dangerous for a credentialed cloud API client because users may assume requests are protected while an attacker can intercept or tamper with traffic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal