Alicloud Ai Entry Modelstudio

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Alibaba Cloud Model Studio router with expected SDK, credential, API-call, and local-output behavior.

Install this only if you intend to use Alibaba Cloud Model Studio services. Review the downstream skill selected for each task, use a limited DashScope API key, be explicit before mutating operations, consider pinning the dashscope package version, and clear saved output files if they contain sensitive content.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 76% confidence
Finding: The skill is presented as a routing entry point, but its workflow instructs the agent to confirm identifiers, run a read-only query, and execute target operations. That scope expansion can cause an agent to perform real API actions from a skill the user may invoke expecting only capability selection, increasing the risk of unintended external calls or mutating operations under available credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal