Back to skill

Security audit

ai-ges-huawei-cloud-ges-graph

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Huawei GES graph-administration tool, but it handles cloud credentials and destructive graph or storage actions with weak transport security and limited built-in safeguards.

Install only if you intend to let the agent operate a live Huawei Cloud GES graph. Use least-privilege credentials, avoid production credentials unless necessary, review any import/export or deletion request carefully, and prefer a version that enforces TLS verification and confirmation gates in code before using it on sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to execute local Python/Node scripts, read configuration from environment variables or .env files, and make network requests to Huawei Cloud services, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users or host systems may not realize the skill can access credentials, local files, and external networks before it runs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as an access guide for graph operations, but the documented behavior extends to live authentication, direct API access, OBS data operations, and import/export job control. That mismatch can cause users or orchestrators to invoke a documentation-style skill without understanding it can move data externally and perform privileged cloud actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill embeds a full-featured OBS object storage client with list, upload, download, and delete operations that materially exceed the stated scope of a GES graph access guide. This expands the capability surface from graph-database access to cloud storage manipulation, increasing the risk of unauthorized data access, overwrites, and deletion if the skill is invoked in broader contexts than users expect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
These methods implement generic cloud storage management behaviors rather than narrowly scoped graph-database guidance. That mismatch is dangerous because users or orchestrators may trust the skill for GES-only operations while it can also read, write, and delete remote objects, enabling unintended cross-service actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list contains broad phrases such as general graph-database and Cypher requests, which can cause the skill to activate for ordinary user queries that may not intend live cloud access. In this skill's context, over-triggering is more dangerous because activation can lead to credential use, external network calls, and potentially destructive graph operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The import/export section documents moving graph data to and from OBS but does not prominently warn about data exfiltration, external storage exposure, transfer costs, retention, or sensitivity of exported content. In a cloud graph context, export features can copy large volumes of potentially sensitive relationship data to external object storage, increasing confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The download routine writes remote content directly to a caller-supplied local path using writeFileSync with no path restrictions, overwrite checks, or confirmation. In an agent setting, this can overwrite arbitrary local files or place attacker-controlled content in sensitive locations if path input is influenced by untrusted data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill exposes remote object deletion with no confirmation, dry-run, scope restriction, or audit guardrails. If invoked accidentally or through prompt/parameter manipulation, it can permanently remove cloud-stored data, which is especially risky because the skill already holds credentials capable of performing the action.

Missing User Warnings

High
Confidence
98% confidence
Finding
The clearGraph method can erase the entire graph either via a dedicated API or a fallback MATCH (n) DETACH DELETE n query, with no confirmation or safety interlocks. In a graph administration skill, this is a highly destructive primitive that could cause total data loss from accidental invocation or misuse by an upstream agent.

Missing User Warnings

High
Confidence
92% confidence
Finding
The skill exposes graph-clearing and deletion operations that can irreversibly destroy all graph data without any confirmation, authorization gate, or safety interlock. In an agent skill context, this is especially dangerous because a prompt misunderstanding or indirect instruction could trigger mass destructive actions against production data.

External Transmission

Medium
Category
Data Exfiltration
Content
}
            }

        resp = requests.post(url, headers=headers, json=data, timeout=30, verify=False)

        if resp.status_code not in [200, 201]:
            raise Exception(f"密码获取Token失败: {resp.status_code}, {resp.text[:200]}")
Confidence
95% confidence
Finding
requests.post(url, headers=headers, json=

Credential Access

High
Category
Privilege Escalation
Content
edge_path="obs://bucket/edge"
)

# Export graph data (access_key/secret_key are read from .env automatically)
job_id = skill.client.export_graph(
    export_path="obs://bucket/export",
    vertex_set_name="set_vertex",
Confidence
90% confidence
Finding
.env

Unsafe Defaults

Medium
Category
Tool Misuse
Content
}
            }

        resp = requests.post(url, headers=headers, json=data, timeout=30, verify=False)

        if resp.status_code not in [200, 201]:
            raise Exception(f"密码获取Token失败: {resp.status_code}, {resp.text[:200]}")
Confidence
99% confidence
Finding
verify=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
'X-Identity-Sign': authorization_header
        }

        resp = requests.post(url, data=Body, headers=headers, timeout=30, verify=False)

        if resp.status_code not in [200, 201]:
            raise Exception(f"AKSK获取Token失败: {resp.status_code}, {resp.text[:200]}")
Confidence
99% confidence
Finding
verify=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
url=url,
            headers=request_headers,
            data=body,
            verify=False
        )

        if response.status_code >= 400:
Confidence
97% confidence
Finding
verify=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
url = f"{self.base_url}{path}"
        headers = self._get_headers()

        resp = requests.request(method, url, headers=headers, **kwargs, verify=False)

        if resp.status_code >= 400:
            raise Exception(f"API请求失败 [{resp.status_code}]: {resp.text}")
Confidence
98% confidence
Finding
verify=False

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/ges_graph_skill.js:603

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/ges_graph_skill.py:179