Alicloud Ai Chatbot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Alibaba Cloud chatbot helper, but it can use cloud credentials for high-impact cloud operations and does not tightly require user-confirmed region and permission scope.

Install only if you intend to let the agent help manage Alibaba Cloud Chatbot resources. Use a restricted RAM user or role, confirm the exact region and tenant/account before any API call, and require a written plan before create, update, or delete operations. Local OpenAPI metadata generation is low risk; cloud mutations are the part to control carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill uses sensitive capabilities—environment variable access for cloud credentials, network access for API calls, and file writes for artifacts—but does not declare permissions. This undermines least-privilege review and can cause an agent or operator to authorize broader access than intended without clear visibility into the skill’s actual behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill advertises active management of Alibaba Cloud chatbot resources, but the described executable path primarily discovers public OpenAPI metadata and writes local API inventory artifacts instead of performing the claimed operational tasks. This mismatch is dangerous because users and orchestration systems may grant credentials and trust based on the declared purpose while the real behavior is materially different, reducing transparency and impairing security review.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The instruction to select the 'most reasonable region' when no region is configured allows the agent to make an infrastructure locality decision without explicit user approval. In a cloud-management context, this can lead to operations against the wrong jurisdiction or tenant region, causing compliance, availability, or cost issues, especially for mutating actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal