Alicloud Compute Fc Agentrun

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Alibaba Cloud AgentRun administration helper, but its cleanup script can delete cloud runtimes if run with real resource IDs.

Install only if you want an agent to help manage Alibaba Cloud AgentRun resources. Use least-privilege credentials, verify the region and resource IDs before running cleanup, avoid production IDs unless intended, and review generated response files before sharing or committing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script explicitly performs irreversible deletion of a runtime endpoint and the runtime itself, which goes beyond the stated skill description of creating runtimes/endpoints, querying status, and troubleshooting workflows. In an agent context, this mismatch is dangerous because a caller expecting non-destructive management behavior could trigger resource teardown, causing service disruption or loss of operational environments.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented cleanup flow takes runtime and endpoint identifiers and invokes a deletion-oriented script, but the skill does not clearly warn that these actions are destructive. In an operations context managing live cloud resources, this omission increases the chance of accidental deletion of production runtimes or endpoints during troubleshooting or routine use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal