Back to skill

Security audit

Cloudbase

Security checks across malware telemetry and agentic risk

Overview

This appears to be legitimate CloudBase development guidance, but it gives agents broad cloud-management authority and includes under-scoped deployment instructions that could change resources or delete local build folders without enough confirmation.

Install only if you want an agent to actively manage CloudBase projects. Before use, require confirmation for EnvId selection, MCP calls, billing or plan changes, auth-provider changes, deployments, README edits, and any cleanup command such as `rm -rf env/`. Treat CORS, JWT, anonymous-user, and identity-logging snippets as examples to review and harden before production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (40)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill contains conflicting operational directives: earlier sections require backend resource preparation via MCP before writing frontend code, while the Core Behavior Rules later say to prioritize frontend first, then backend. In an agentic workflow, contradictory precedence can cause the model to skip security-critical setup such as auth, storage rules, or database provisioning, leading to insecure or broken deployments.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document explicitly warns that PG/pgstore environments must use `app.storage.from('bucket').upload(...)`, yet the later method-routing section unconditionally tells users to use legacy `app.uploadFile()` for browser uploads. In this skill context, that contradiction is dangerous because developers may choose the wrong API for production storage flows, causing failed uploads, undefined PUT targets, permission errors, or incorrect security assumptions in PG mode.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The primary upload example demonstrates only the legacy `app.uploadFile()` path immediately after the guide states that PG/pgstore requires bucket-scoped `from(bucket).upload(...)`. Because examples are often copied verbatim, this can directly propagate broken or insecure implementation patterns into frontend code, especially in mixed CloudBase environments where the wrong storage model can mask authorization and bucket-creation prerequisites.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The temporary-URL section shows `getTempFileURL()` and an upload+preview flow built around a `fileID`, even though the guide previously says PG mode should use `createSignedUrl()` on `app.storage.from('bucket')`. In this context, the inconsistency can lead developers to implement the wrong retrieval mechanism for private objects, resulting in broken access flows, mis-handled authorization, and confusion about whether a returned URL is valid, signed, or tied to the correct backend.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The documented auth middleware silently assigns an unauthenticated caller the shared identity "anonymous" when no Bearer token is provided, despite presenting itself as JWT-based authentication. In a Coze integration where user_id drives conversation history and tenant separation, this can let unauthenticated requests access or contaminate a common session, weakening access control and isolation.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The guide frames this as proper CORS configuration, but the examples allow all origins and, in the FastAPI case, combine `allow_origins=["*"]` with `allow_credentials=True`. That configuration undermines cross-origin protections and can expose authenticated APIs to untrusted origins or mislead users into deploying an insecure default.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The delivery-zone example appears logically incorrect: it uses geoWithin with a Point geometry against a deliveryZone field, which contradicts the stated goal of testing whether a user's point lies inside the store's polygon. Developers copying this example may implement broken authorization/business logic for delivery eligibility, causing incorrect service decisions or bypass of geographic restrictions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a true authentication bypass pattern. The sample guard claims token verification but in practice accepts any non-empty Bearer token, sets request.user, and returns true, which can mislead developers into deploying endpoints that trust attacker-supplied tokens without cryptographic validation or introspection. In a CloudBase/NestJS skill, this is especially dangerous because the content is framed as implementation guidance, so insecure sample code is likely to be copied directly into production auth paths.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs the agent to modify README.md with deployment information without requiring prior user confirmation or an explicit notice that project files will be changed. In agent-driven environments, silent documentation edits can overwrite user-maintained content, leak environment details into version control, or create unintended persistence of sensitive operational metadata.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The AI-agent scenario uses broad signals such as "AI Agent", "智能体", and "agent UI", which can match many unrelated requests and cause the wrong skill path to activate. In this skill, misrouting is security-relevant because the selected path changes operational guidance, deployment assumptions, and prohibited tools, increasing the chance of unsafe implementation or bypass of more appropriate checks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The UI-generation scenario includes vague phrases like "设计页面", "frontend interface", and "prototype", which are common across many unrelated tasks. Because this activation map drives what instructions are read first, generic UI triggers can incorrectly divert requests into design-first behavior and away from platform-specific security or auth guidance.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The guidance hard-codes a language/output policy in natural language rather than deferring to the user's preference, which can override user intent and affect downstream behavior selection. In an agent skill, forced language policy is less severe than code-execution issues, but it can still cause policy drift, incorrect user handling, and brittle instruction-following in multilingual contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example cloud function logs and returns OPENID/APPID/UNIONID directly to the caller. Although these identifiers are legitimately available in CloudBase mini program auth flows, exposing them in logs and API responses increases privacy risk and can normalize copying sensitive identifiers into client state, telemetry, or downstream systems without need. In this skill context the data is real identity material, so the example is more dangerous than a generic placeholder snippet.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authentication test pattern returns the full identity object and displays it in the mini program, while also logging it on both server and client. Even as a test example, this encourages developers to expose verified platform identifiers in production-like flows and increases the chance of privacy leakage through UI, browser/dev tools, analytics, screenshots, and retained logs. The skill context makes this more dangerous because it is instructional content likely to be copied verbatim.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs authors to default browser-facing HTTP functions to `Access-Control-Allow-Origin: *` for simple APIs. While CORS is not authentication, this guidance broadens cross-origin accessibility by default and can turn otherwise same-origin-protected endpoints into callable targets from any website, increasing exposure of unauthenticated APIs or APIs that rely on ambient credentials or weak trust assumptions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs implementers to extract a JWT payload and place user identifiers plus the JWT-derived object into request state that is then used by the adapter when calling a third-party service, but it does not warn about privacy, data minimization, or restrictions on forwarding identity-linked data. This increases the chance that developers will transmit more personal or security-sensitive information than necessary to Coze, creating avoidable privacy and compliance exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The observability examples explicitly log stable user identifiers (`user_id`) and elsewhere capture raw `input_data` in error reporting, which can normalize collection of personal or sensitive data into logs and third-party telemetry systems. In an agent platform handling chats, prompts, auth flows, and application data, this creates a realistic privacy and data-exposure risk because logs, traces, and error tools are often broadly accessible and retained longer than primary application data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes an example configuring CORS with allow_origins=['*'], allow_methods=['*'], and allow_headers=['*'] for a FastAPI app, but provides no warning that this should not be used in production. In a server framework reference, developers often copy examples verbatim; permissive CORS can expose authenticated APIs to unintended web origins and increase cross-origin abuse risk, especially if combined with weak auth or credentialed browser flows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quickstart’s production-ready multi-agent example configures CORS with allow_origins=['*'], allow_methods=['*'], and allow_headers=['*'] while also enabling credentials, which is an unsafe default for documentation because readers may copy it directly into deployed services. In an agent server context, overly permissive cross-origin access can expose authenticated endpoints or browser-accessible agent actions to unintended origins, increasing the risk of cross-site request abuse and data exposure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation description is extremely broad and explicitly says to use the skill even when the user does not mention CloudBase Agent. That can cause the agent to inappropriately apply this skill to generic AI backend requests, pulling in CloudBase-specific deployment patterns and powerful tooling guidance outside the intended scope. In a skill that includes agent servers, deployment, MCP tools, code execution, and middleware, over-activation increases the chance of unsafe or irrelevant actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises security-sensitive capabilities including bash, filesystem access, MCP integration, code execution, and a quick-start example that enables CORS for all origins, but it does not prominently warn about the risks or require safe defaults. In an agent-backend skill, these features can materially expand attack surface: arbitrary command/file access, unsafe tool exposure, and browser-based cross-origin access to agent endpoints. The CloudBase Agent context makes this more dangerous because the document is prescriptive and framed as production-ready guidance, so insecure examples may be copied directly into deployed systems.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The documentation demonstrates extracting a JWT payload with `JSON.parse(atob(token.split(".")[1]))` and directly trusting the `sub` claim to derive `userId`, but it does not show any signature verification, issuer/audience validation, expiration checks, or robust parsing. In security-sensitive multi-tenant storage code, this example can lead implementers to accept attacker-supplied bearer tokens and derive authorization context from untrusted data, enabling tenant impersonation or unauthorized access if copied into production.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation shows how to generate temporary access URLs but does not warn that anyone possessing the link can access the referenced object until expiry. In a storage-management skill, this omission can lead users to share signed URLs in logs, chat, tickets, or front-end code, unintentionally exposing stored data.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hard-codes 'Phone SMS Verification' as the default user authentication path when the user has not requested a specific method. This can steer agents into collecting phone numbers and using a region-specific identity flow without consent, data-minimization review, or suitability checks, increasing privacy, compliance, and account-enumeration/abuse risk for users who do not need SMS auth.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill sets domestic Shanghai as the default region for API routing without requiring confirmation of the tenant's actual region or data-residency requirements. This can cause requests, credentials, and user data to be sent to the wrong regional endpoint, creating privacy/compliance issues and potentially breaking auth or service behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/ai-model-nodejs/SKILL.md:214

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/ai-model-web/SKILL.md:209

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/ai-model-wechat/SKILL.md:243