ClawHub

Alicloud Compute Swas Open

Security checks across malware telemetry and agentic risk

Overview

This is a real Alibaba Cloud server-management skill, but it includes a helper that can persistently enable privileged SSH access on a cloud instance.

Install only if you intentionally want an agent to administer Alibaba Cloud SWAS resources with your credentials. Use a least-privilege RAM role or short-lived credentials, confirm every mutating operation, and review scripts/fix_ssh_access.py carefully before use, especially the target instance, target user, public-key fingerprint, SSH port, and whether root SSH login should be enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims broad SWAS management, but the referenced helper capability to 'fix SSH access' goes beyond generic management into sensitive host reconfiguration: enabling root login, altering authorized_keys, restarting SSH, and optionally changing the SSH port. Those actions can create or restore privileged remote access paths and materially weaken host security if invoked without strong guardrails, making the description insufficiently transparent about the real-risk behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script explicitly enables PermitRootLogin yes while advertising itself as fixing SSH access. That materially weakens the instance's remote access posture by allowing direct root SSH logins, increasing the blast radius of any added key, credential compromise, or configuration mistake.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The docstring frames the tool as a repair utility, but the implementation also relaxes SSH hardening by enabling root login. This mismatch is security-relevant because it can cause operators to run a more invasive and risky change than they intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow and operation map describe mutating lifecycle actions and remote command execution, but they do not prominently warn that these operations can stop services, alter firewall exposure, reset disks, or execute arbitrary commands on cloud instances. In a cloud-management skill with command-execution support, missing explicit destructive-operation warnings increases the chance of unsafe or unintended changes by users or downstream agents.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool sends a remote shell script that modifies authorized_keys, sshd_config, and restarts SSH without any confirmation prompt or dry-run summary. In an infrastructure-management context, that can unexpectedly lock out admins, expose SSH more broadly, or change a production host's access controls with a single command.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal