Back to skill

Security audit

Tccli Cvm

Security checks across malware telemetry and agentic risk

Overview

The skill appears to manage Tencent Cloud resources but also enables remote shell command execution on cloud servers, which needs review before installation.

Install only if you intend to let the agent administer Tencent Cloud servers, including running shell commands on instances. Use a least-privilege Tencent Cloud role, avoid broad production credentials, and confirm every remote command before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill explicitly adds TencentCloud Automation Tools (TAT) support, which enables arbitrary remote shell command execution on CVM instances. That materially expands the capability from infrastructure lifecycle management into post-deployment code execution, creating a much higher-risk path for abuse, lateral movement, package installation, or destructive actions on hosts.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The stated purpose is managing CVM resources, but the skill instructs how to Base64-encode and run shell commands remotely via `tccli tat RunCommand`. That capability is not necessary for instance creation/query/deletion and can be used to execute arbitrary commands on running machines, which significantly increases operational and security risk beyond the declared skill boundary.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.