Back to skill

Security audit

network-eip-huawei-cloud-cce-env-assessment

Security checks across malware telemetry and agentic risk

Overview

This Huawei Cloud assessment skill has a coherent goal, but it asks for powerful cloud credentials and includes broad local privilege and cleanup instructions without enough safeguards.

Review carefully before installing. Use a least-privilege Huawei Cloud key, avoid pasting secrets into chat if possible, confirm no credentials are printed in command output, and do not allow sudo or deletion of existing data/artifacts unless you understand the exact local impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to retry with sudo when it encounters permission issues, even though the stated purpose is assessment and reporting. This broad privilege-escalation behavior can turn a low-risk read/report workflow into one capable of modifying protected system state or exposing sensitive local resources if any command in the flow is overbroad or compromised.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Although the skill is presented as an assessment tool, it also directs installation or upgrading of local tooling and Python dependencies. That expands the trust boundary from passive assessment into local system modification and package execution, increasing risk from dependency compromise, unexpected side effects, and unauthorized environment changes.

Scope Creep

Medium
Confidence
88% confidence
Finding
The declared permission boundary says only explicitly listed operations are allowed, yet the workflow also requires deleting files, creating directories, and writing environment variables. This mismatch weakens user understanding of what the skill may do and can be exploited to normalize undeclared destructive or state-changing behavior under the guise of compliance.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
The skill says the AI may invoke only scripts specified in the SKILL, but the documented workflow later requires execution of a script omitted from the script list. This inconsistency creates ambiguity about what code is authorized to run and can enable accidental or unjustified execution of unreviewed scripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the user to provide Huawei Cloud AK/SK credentials and stores them in environment variables without an explicit warning about sensitive secret handling. In this context, the risk is amplified because the workflow also requires showing outputs after each step, which increases the chance that secrets are echoed, logged, or exposed in conversational transcripts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs deletion of historical files in data/ and artifacts/ without clearly warning the user that local files will be removed. Even if the target directories are narrow, this is still a destructive operation that can erase prior assessment outputs or user-kept files placed there.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill directs extensive collection of cloud and local environment information but does not disclose what categories of data may be gathered, retained, or included in generated artifacts. For an infrastructure assessment skill, that omission is significant because collected configuration and metrics can contain sensitive operational details about the user's environment.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow asks for cloud credentials, stores them in environment variables, and requires the agent to display step outputs, creating a direct path for accidental secret disclosure in logs, terminal output, generated files, or chat responses. In a cloud-assessment context, exposed AK/SK could enable unauthorized access to the user's Huawei Cloud resources, making the consequence materially severe.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.