aliyun-oss

Security checks across malware telemetry and agentic risk

Overview

This Aliyun OSS skill does what it claims, but it needs review because it persists cloud credentials broadly and can delete remote objects without real safeguards.

Install only if you intend to grant this skill access to an Aliyun OSS bucket. Use a least-privilege or temporary credential, avoid production buckets until delete confirmation is fixed, inspect/remove any ALIYUN_* lines added to shell startup files, and treat generated private URLs as temporary secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill clearly invokes shell commands such as bash scripts and node commands, but the manifest does not declare corresponding permissions/capabilities. This creates a transparency and governance problem: a user or platform may underestimate what the skill can execute, increasing the risk of unexpected command execution and unsafe automation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior extends beyond normal OSS object operations into credential persistence, environment modification, local config creation, and package installation. That mismatch is dangerous because users may invoke a storage skill expecting ordinary file actions while it also writes secrets to local shell profiles or disk, expanding the attack surface and increasing credential exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script persists long-lived OSS credentials into the user's shell startup file, causing secrets to be automatically loaded into every future shell session. This broadens exposure well beyond the skill's operational need, making credentials easier to leak through shell history inspection, process environments, debugging output, other local tools, or accidental sharing of dotfiles.

Missing User Warnings

Medium

Confidence: 73% confidence
Finding: The documentation exposes delete functionality, including a force option, without warning that deletion may be irreversible or lead to data loss. In an automation context, this omission can cause accidental destructive actions against production buckets or important objects.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documentation instructs users to provide long-lived AccessKey credentials and perform remote upload/download operations, but it does not warn about secret sensitivity, least-privilege access, or the privacy implications of transferring data to OSS. This is especially risky because the skill context involves cloud storage administration, where mishandled keys can enable unauthorized access to buckets and data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly includes a forced deletion example (`--force`) without a clear warning that it bypasses confirmation and can permanently remove remote objects. In an agent skill context, users or downstream automation may copy this example directly, making accidental destructive actions more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The automated backup script performs both local `find ... -delete` cleanup and cloud-side forced deletions based on listed objects, but the example lacks prominent warnings or guardrails around irreversible data loss. Because this is presented as a complete automation recipe, it is especially likely to be reused in production and could mass-delete backups if paths, timestamps, or object selection are wrong.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The delete command prints a warning but still proceeds to delete the remote OSS object without actually collecting or validating user confirmation. In an agent or CLI workflow, this creates a misleading safety prompt and makes accidental or prompt-induced destructive actions much easier, causing irreversible data loss.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Batch delete performs irreversible remote deletions from a provided file with no confirmation, preview, or guardrails. In the skill context, this is more dangerous because a malformed list file, user mistake, or unsafe agent instruction could trigger large-scale object deletion across the bucket.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script writes accessKeyId and accessKeySecret to a JSON file on disk without any explicit warning, confirmation, or safer secret-handling option. Even with chmod 600, storing plaintext cloud credentials on disk increases the risk of compromise from backup leakage, local malware, accidental commits, or later misuse by other tools on the same account.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Appending cloud credentials directly to the user's shell startup file stores them in plaintext in a highly exposed and persistent location that is sourced automatically. This increases blast radius because any future shell, local process inspection, support bundle, synced dotfile repo, or accidental disclosure can reveal the credentials.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal