Alicloud Data Analytics Dataanalysisgbi

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud DataAnalysisGBI management skill that discloses credential use, metadata lookups, and local output files, with no evidence of hidden exfiltration or unsafe persistence.

Install this only if you want an agent to help manage Alibaba Cloud DataAnalysisGBI. Use a RAM user or role limited to the specific DataAnalysisGBI actions needed, confirm account, region, resource IDs, and parameters before Create/Update/Modify/Set operations, and review saved output artifacts for sensitive cloud metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill uses sensitive capabilities (environment credential access, network calls, and local file writes) but does not declare permissions or surface those capabilities clearly. This creates a transparency and consent problem: an agent may invoke the skill without realizing it can access cloud credentials, contact external endpoints, and persist potentially sensitive artifacts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The description frames the skill as routine Alibaba Cloud resource management, but the documented workflow also includes downloading OpenAPI metadata, enumerating APIs, and writing local artifacts. That mismatch can cause users or orchestrators to authorize the skill under narrower assumptions than its actual behavior, increasing the chance of unexpected network activity and data persistence.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill contemplates mutating cloud resources and saving outputs locally, but it does not require an explicit user-facing warning or confirmation before changes are made or artifacts are persisted. In a cloud-management context, silent mutations and saved response data can lead to unintended configuration changes, leakage of resource details, and compliance issues.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal