ClawHub

Alicloud Compute Fc Serverless Devs

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed guide for using Alibaba Cloud Function Compute through Serverless Devs, with expected but sensitive cloud credential and deploy/remove steps.

Install only if you want an agent to help manage Alibaba Cloud FC resources. Use temporary or least-privilege credentials, avoid putting secrets directly in command history or logs, prefer the no-sudo install path when possible, verify the Serverless Devs package, and require explicit confirmation before deploy, custom-domain, or remove commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes mutating and destructive commands such as deploy and remove without an explicit warning that they will create, modify, or delete cloud resources and may incur charges or service disruption. In an agent-driven context, this is dangerous because a user or automated system may follow the flow verbatim and perform irreversible changes without a deliberate confirmation step.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill shows secrets being passed directly on the command line and exported in environment variables/JSON, which can leak through shell history, process listings, terminal logs, CI logs, or captured evidence artifacts. Because this skill explicitly handles cloud access keys for a privileged deployment tool, exposure could lead to unauthorized access, resource takeover, data exposure, or destructive cloud actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal