Back to skill

Security audit

bigdata-dws-huawei-cloud-dws-cpu-diag

Security checks across malware telemetry and agentic risk

Overview

The skill’s main diagnosis workflow is read-only, but its supporting instructions introduce unrelated object-storage tooling, unsafe cloud credential handling patterns, and automatic local report persistence.

Install only if you are comfortable giving the agent read access to DWS monitoring and host data. Avoid the OBS/obsutil steps unless you independently need them, use least-privilege temporary credentials, do not put AK/SK values on command lines or in committed files, and treat generated HTML reports as sensitive operational data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill goes beyond generating a diagnosis report and instructs the agent to write an HTML file into the local workspace. Unprompted filesystem writes create a side effect outside the stated diagnostic scope, which can surprise users, leak sensitive operational data into persistent storage, or be abused as a foothold for unwanted artifact creation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A CPU diagnosis skill's core function is data collection, analysis, and reporting; writing files to the workspace is not necessary to fulfill that purpose. Granting or instructing persistent write behavior without clear justification increases the attack surface and can leave behind sensitive cluster diagnostics in locations other tools or users may access.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document says the output should only contain the diagnosis report, but later adds a hidden side effect: saving a file to disk. This inconsistency is dangerous because reviewers and users may trust the earlier, narrower behavior while the skill performs additional persistent actions that can store sensitive data unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file is materially misaligned with the declared skill purpose: it is an OBS object storage CLI installation and credential guide embedded in a DWS CPU diagnosis skill. That unnecessary expansion of scope can cause operators to install extra tooling and configure storage credentials unrelated to CPU diagnosis, increasing attack surface and the chance of credential misuse or unintended data access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide adds obsutil and bucket-access capability without showing why a CPU root-cause diagnosis skill needs direct OBS operations. In this context, introducing unrelated storage tooling and authentication paths is dangerous because it broadens the skill's reachable privileges and may prompt users to grant sensitive object storage access far beyond what the stated function requires.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to save an HTML report into the workspace without warning the user or requesting confirmation. Silent persistence of diagnostic data is risky because the report may contain cluster identifiers, hostnames, SQL text, usernames, and other sensitive operational details that remain on disk after the session ends.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The command `obsutil config -ak=<AK> -sk=<SK> ...` places long-lived secrets directly on the command line without warning, which can expose them via shell history, process listings, terminal logging, or audit tools. This is especially risky in an operational support skill because users may run the command on shared bastions or monitored admin hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to place plaintext AK/SK credentials into a YAML configuration file before encryption occurs. Even if the server later auto-encrypts them, the initial plaintext handling creates a window where secrets may be exposed through shell history, editor backups, filesystem snapshots, source control commits, or accidental sharing. In the context of an MCP server that gives LLM-driven access to cloud monitoring and host data, compromised AK/SK credentials could enable unauthorized access to Huawei Cloud resources and telemetry.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The CLI example passes AK/SK directly as command-line arguments, which is dangerous because process arguments are often exposed via shell history, process listings, audit logs, crash reports, and remote session recording. This creates an easily exploitable credential leakage path. In this skill context, those leaked cloud credentials could let an attacker query or manipulate DWS-related resources depending on the account's permissions, making the documentation more dangerous because it operationalizes unsafe secret handling for admins troubleshooting production systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.