ClawHub

Cloudbase

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate CloudBase development skill, but it is broad and includes high-impact cloud deployment/auth guidance with some risky examples that need review before use.

Install only if you intend to let the agent work on Tencent CloudBase projects. Before allowing actions, confirm the exact EnvId, review any MCP/cloud API call, avoid copying public-access examples unless the endpoint is intentionally anonymous, keep secrets in managed secret storage or environment variables, and require explicit approval before changing auth providers, permissions, deployments, or billing-related AI model settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The example authentication middleware silently assigns a shared 'anonymous' identity when no Bearer token is provided, even though the surrounding text frames the middleware as extracting authenticated user identity from JWTs. This creates an insecure fail-open pattern that can let unauthenticated requests access bot functionality and potentially collapse user separation, auditability, and policy enforcement onto a common identity.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The role-based example uses a JavaScript template literal inside a security-rule expression string even though the document explicitly warned earlier that template-literal placeholders are invalid in CloudBase rule strings. This contradiction can cause developers to deploy broken authorization logic or silently fail open/closed depending on tooling and testing quality, leading to incorrect access-control assumptions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description is extremely broad and includes many generic software-development tasks, which can cause the agent to invoke this skill outside true CloudBase-specific contexts. Over-broad activation increases the chance that CloudBase-specific instructions, routing, deployment steps, or tool assumptions are applied to unrelated projects, leading to unsafe or incorrect actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation triggers contain generic phrases such as frontend interface, troubleshooting, architecture design, and AI/model terms that overlap with ordinary developer requests. In a skill that also contains operational and deployment guidance, these broad triggers can misroute the agent into using CloudBase-specific workflows or MCP/tooling in contexts where they do not belong.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases in this range are broad enough to match common requests such as troubleshooting or inspection tasks that may not specifically require this skill. In an agent-routing context, overbroad activation can cause the wrong skill to engage, leading to confused execution paths, unsafe tool selection, or bypass of narrower skills with safer constraints.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The UI-generation triggers include highly generic phrases like design page, login UI, interface, or prototype, which can match a wide range of unrelated frontend requests. Because this skill also covers authentication and backend-adjacent workflows, accidental activation could steer benign UI work into CloudBase-specific guidance or cause inappropriate sequencing and tool use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill includes a custom SMTP configuration example with an `AccountPassword` field shown as a plaintext value and no accompanying warning about secrets handling. In a configuration guide for auth providers, this can normalize insecure practices such as pasting real credentials into prompts, source files, logs, or screenshots, increasing the chance of credential exposure and downstream account compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to make HTTP Functions publicly accessible with `aclTag: "CUSTOM"` and `rule: "true"`, which permits invocation by any caller. While public endpoints can be legitimate, the guidance does not prominently warn that this removes all authentication at the function boundary and can expose sensitive operations or data if developers copy the example indiscriminately. In a skill meant to help build and deploy browser-facing APIs, this omission is more dangerous because users are likely to follow the recipe directly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference explicitly recommends `AuthSwitch: 2` (no auth) for exposing a cloud function over HTTP and does so without a clear warning about public exposure, authorization requirements, or compensating controls. In a skill that helps users deploy and configure production CloudBase resources, this can directly lead to accidentally publishing sensitive function endpoints to the internet.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation encourages propagating authenticated user identity and JWT-derived context into a third-party backend flow without clearly warning that this data may be transmitted, processed, or retained outside the local service boundary. In an agent platform context, identity metadata can be sensitive and privacy-relevant, so omission of disclosure and minimization guidance can lead developers to over-share user data unintentionally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example stores the full decoded JWT payload in request state, which increases the chance that sensitive claims are later logged, forwarded, exposed to downstream components, or mishandled by middleware/plugins. JWT payloads often contain PII, roles, tenancy data, and other authorization context that should be minimized rather than broadly attached to shared request state.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The guide notes that Coze maintains conversation history when threadId is used but does not prominently warn that user prompts and associated conversation context may be stored remotely by the external provider. For AI agent integrations, conversation data frequently contains sensitive business or personal content, so omission of retention/privacy warnings can mislead developers into unsafe default deployments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly recommends storing the full decoded JWT payload in shared agent state and making it available to agents, adapters, and tools. Even if the signature is verified, exposing all claims to downstream logic increases the risk of sensitive claim leakage, unintended authorization coupling, and accidental propagation into logs, prompts, tool calls, or third-party integrations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The observability example explicitly logs stable user and conversation identifiers in structured logs, which can create privacy and compliance risk when logs are centralized, retained long-term, or shared with third-party logging systems. In an agent platform, these identifiers can enable cross-session tracking and correlation of user activity, and the documentation presents this pattern without any minimization, redaction, or warning.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The error tracking example sends raw input data in exception reporting, potentially exporting secrets, prompts, personal data, or tokens to an external error-monitoring service. In agent systems, inputs often contain highly sensitive user content, so documenting direct capture of `input_data` without sanitization creates a realistic leakage risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart’s production-style multi-agent server exposes request-handling endpoints and binds to 0.0.0.0 without authentication or an explicit warning at the point of the example that all network callers can invoke the agent. In an agent framework context this is more dangerous than a generic demo API because prompts and tool-invoking requests are attacker-controlled input and may trigger costly model usage, data access, or downstream actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The monitoring callback example prints model output, tool names, partial tool arguments, run IDs, and error information directly to console without warning that prompts, completions, and tool arguments may contain secrets or personal data. In agent deployments, logs often aggregate centrally and are accessible to operators, so this can create durable secondary exposure of sensitive user content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly promotes high-risk capabilities such as bash, filesystem, MCP, and code execution, but provides no user-facing caution about the security implications of enabling or exposing these tools. In an agent-development context, omission of risk guidance can lead users to deploy agents with dangerous tool access, weak auth, or overly broad execution privileges, increasing the chance of command execution, data exposure, or lateral movement.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The environment-variable section lists API keys and secret-bearing variables without any handling guidance, which can normalize unsafe practices like hardcoding, logging, committing .env files, or exposing secrets to clients. In a deployment-oriented skill for agent backends, this is especially risky because these credentials may grant access to models, tracing backends, and memory services, enabling abuse, data exfiltration, or account compromise if leaked.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The production example treats the JWT as trusted input by base64-decoding its payload and reading `sub` without demonstrating any signature, issuer, audience, expiry, or scheme validation. In a security-sensitive multi-tenant context, developers may copy this pattern and use attacker-controlled tokens to select `userId`, which can undermine tenant isolation or cause unauthorized access to another user's persisted agent state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows how to generate temporary storage URLs but does not warn that these URLs provide unauthenticated external access to the referenced object until expiry. In a storage-management skill, omission of that security property can cause users to share sensitive files, logs, backups, or user uploads under the mistaken assumption that the link is only for internal debugging.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill hard-codes a China-specific authentication default ('always default to Phone SMS Verification') without user opt-in or regional/context checks. This can steer agents to collect phone numbers unnecessarily, reduce user choice, and create privacy/compliance issues when users are outside China or when SMS is not the least-privilege authentication method.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
This section repeats and reinforces a forced phone-SMS authentication policy as the default recommendation. Repetition makes the unsafe guidance more likely to be followed, increasing unnecessary collection of sensitive phone data and encouraging a one-size-fits-all auth flow that may be inappropriate for many deployments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal