Back to skill

Security audit

storage-obs-huawei-cloud-obs-stats

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-oriented Huawei Cloud OBS statistics helper with disclosed credential handling and no bundled executable code, though its trigger wording is somewhat broad.

Install only if you intend the agent to query Huawei Cloud OBS/CES statistics using your existing hcloud or obsutil setup. Use a least-privilege IAM user, avoid pasting AK/SK secrets into chat, and confirm the skill is being used specifically for Huawei Cloud OBS when requests use generic metrics wording.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list contains generic phrases such as 'download traffic', 'total requests', 'request count', and 'month-over-month' that are not unique to Huawei Cloud OBS. In an agent environment, overly broad routing can cause this skill to activate for unrelated storage or analytics tasks, leading to execution of cloud CLI commands in the wrong context and unintended access to account metadata or bucket information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.