qiniu-kodo

Security checks across malware telemetry and agentic risk

Overview

This Qiniu cloud-storage skill does what it says, but it needs Review because it persistently stores cloud credentials and can delete remote data without real safeguards.

Install only if you intend to let an agent manage and potentially delete objects in the configured Qiniu bucket. Use least-privilege Qiniu keys, review setup.sh before running it, avoid writing secrets to shell startup files, back up any existing ~/.mcporter/mcporter.json, and require manual confirmation or a safer wrapper before delete or batch-delete use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 78% confidence
Finding: The skill explicitly instructs execution of shell commands (`bash scripts/setup.sh`, `node ...`) but does not declare corresponding permissions. Undeclared shell capability weakens the trust boundary: users or agents may authorize a seemingly simple storage skill without realizing it performs local installation and environment-changing actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is object storage management, but the behavior described by analysis includes package installation, qshell download, config creation with secrets, and shell profile modification. This mismatch is dangerous because it can conceal broader system-changing and credential-handling behavior behind a narrower description, increasing the chance that an agent or user grants trust inappropriately.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The delete command prints a warning that implies a confirmation step, but no confirmation is actually collected before issuing the remote delete. This creates a dangerous mismatch between user expectation and actual behavior, making accidental destructive actions much more likely in an agent or CLI context.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script appends QINIU_ACCESS_KEY and QINIU_SECRET_KEY to the user's shell startup file, causing long-lived plaintext credential persistence beyond the immediate setup task. This broadens exposure to any local process, future shell sessions, backups, dotfile sync, or accidental disclosure, which is unnecessary for basic object-storage operations.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill documents a delete operation with `--force` but provides no explicit warning about irreversible data loss or recommended safeguards. In a storage-management context, destructive operations are expected, but lack of warning increases the risk of accidental deletion by users or agents, especially when commands are copy-pasted or automated.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation tells users to store cloud access credentials directly in a local JSON config file without any warning about secret exposure, file permissions, encryption, or safer alternatives. If that file is world-readable, committed to source control, backed up insecurely, or accessed by other local processes, it can lead to full compromise of the cloud storage account.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The batch-delete example shows irreversible cloud deletion with no prominent warning, dry-run pattern, or safeguard against accidental mass deletion. In an agent-assisted or copy-paste workflow, users may execute destructive commands without appreciating their impact, leading to avoidable data loss.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The automated backup script performs both local and remote deletion based on time thresholds without strong warnings, review steps, or safety checks. If copied into production with incorrect paths, clock issues, or metadata assumptions, it can silently delete legitimate backups and reduce recovery capability.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The command warns about deletion but immediately proceeds, so a user or calling agent may believe there is still an opportunity to cancel when there is not. In an object-storage skill, this can directly cause irreversible deletion of remote data if the agent passes the wrong key or is prompted maliciously.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Batch deletion performs destructive remote operations with no warning, preview, or confirmation, increasing the chance of mass accidental data loss. Because the list of keys is read from a file, a mistaken or tampered input file could trigger broad irreversible deletion across the bucket.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script silently persists secrets into shell startup files without explicit notice that they will remain on disk in plaintext and be loaded into every shell session. This increases the chance of credential theft through local compromise, shoulder-surfing, shared accounts, dotfile leakage, or accidental publication.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script writes access credentials directly into mcporter.json, and elsewhere also generates a JSON config containing secretKey in plaintext, without warning the user. Plaintext secret storage on disk creates durable credential exposure if the host is compromised, files are backed up to less secure locations, or home-directory contents are shared.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal