Back to skill

Security audit

aliyun-oss-upload

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uploads a user-chosen file to Aliyun OSS and creates a temporary access link.

Install only if you want the agent to upload selected local files to your Aliyun OSS bucket. Use a dedicated least-privilege RAM or temporary credential, avoid broad account keys, keep signed URL expirations short, and confirm the file is safe to upload before running the command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation instructs users to configure and rely on sensitive environment variables for cloud credentials, but the skill declares no permissions despite clearly requiring access to secrets in the environment. This creates a transparency and least-privilege problem: an agent or platform may expose credentials to the skill without an explicit permission boundary, increasing the risk of unintended secret access or misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.