SLS + ARMS 全链路问题排查

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Alibaba Cloud debugging skill, but it needs Review because it can use saved cloud credentials and expose raw production logs, traces, stack data, and request or response fields without strong scoping or redaction.

Install only if you intentionally want the agent to query Alibaba Cloud SLS/ARMS and inspect related local source code. Use read-only, least-privilege credentials, restrict logstores and time windows, avoid broad secrets in OpenClaw config, and redact tokens, personal data, SQL, stack traces, and request/response payloads before sharing results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script loads fallback secrets from ~/.openclaw/openclaw.json, giving the skill access to local OpenClaw-managed credentials beyond explicit process environment input. That broadens the trust boundary and lets a skill silently consume cloud credentials from a local config file, which is sensitive because the skill's purpose is trace analysis, not credential discovery from host-local agent configuration.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger examples are broad enough to match many generic troubleshooting requests, which can cause the skill to activate in situations where users did not explicitly consent to log, trace, code, or database investigation. In this skill’s context, unintended activation is more dangerous because the documented workflow includes querying cloud logs, tracing requests, inspecting source code, and analyzing database errors, all of which may expose sensitive operational or user data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises end-to-end investigation across logs, traces, source code, and databases but does not warn that these actions may access sensitive user, tenant, credential, or production system data. In this context, the omission increases risk because operators may invoke the skill without understanding the breadth of data access or the need for authorization, minimization, and redaction.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to export Alibaba Cloud AccessKey credentials directly as environment variables without any guidance on secret handling, rotation, scope restriction, or safer alternatives. This is dangerous because such credentials may be overprivileged, exposed through shell history, process environments, screenshots, crash dumps, or shared terminal sessions, enabling unauthorized access to SLS and ARMS data.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to activate on ordinary troubleshooting requests, which can cause the skill to run in contexts where users did not intend cloud log or trace access. In a debugging skill with access to credentials and sensitive observability data, over-broad invocation materially raises the risk of unnecessary data exposure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs use of Alibaba Cloud credentials and retrieval of logs/traces without a clear upfront warning that sensitive data may be accessed and surfaced. Because observability data often contains identifiers, request payloads, errors, and stack traces, the lack of notice and consent increases privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script retrieves cloud access keys from environment/config and uses them to authenticate outbound API calls without explicit user disclosure at execution time. In an agent-skill context, hidden credential consumption is risky because users may not realize the skill is acting with their cloud privileges and querying external systems on their behalf.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The ARMS HTTP query path transmits trace IDs and related query metadata to a remote cloud API, and the skill overall also sends user-provided identifiers such as trace_id, wusid, and path to SLS/ARMS. In a security-sensitive agent setting, undisclosed transmission of operational identifiers and potentially sensitive debugging context can leak internal data to external services or violate user expectations.

Ssd 3

High

Confidence: 98% confidence
Finding: The instructions require verbatim inclusion of every log and stack trace entry, forbidding deduplication or selective disclosure. This is dangerous because logs and traces frequently contain secrets, tokens, identifiers, request bodies, internal paths, and personal data that should not be echoed back wholesale.

Ssd 3

High

Confidence: 98% confidence
Finding: The report template explicitly tells the agent to echo raw request/response data and full stack contents directly to the user. This creates a direct exfiltration channel for sensitive business data, user information, secrets embedded in payloads, and internal implementation details.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The code-analysis flow instructs use of request/response business data from logs to reconstruct user context. Even if intended for diagnosis, this increases privacy risk by encouraging deeper inference about individual users from operational telemetry.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal