ClawHub

Alicloud Data Lake Dlf

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Alibaba Cloud Data Lake Formation helper, with normal cloud-credential and API-change risks that users should manage carefully.

Install only if you want an agent to help manage Alibaba Cloud Data Lake Formation. Use least-privilege or short-lived Alibaba Cloud credentials, review any saved output before sharing it, and require clear confirmation before running API calls that create, update, modify, or set cloud resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes capabilities to read cloud credentials from environment/shared config, write local artifacts, and make network calls, but it does not declare those permissions. This creates a transparency and governance gap: users and policy engines cannot accurately assess what the skill can access before execution, increasing the risk of unintended credential use or exfiltration through outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as managing Data Lake Formation resources, but the documented executable path focuses on OpenAPI metadata discovery and generating local API inventory files. That mismatch can mislead operators about what the skill actually does, causing them to approve execution under false assumptions and potentially expose credentials or trigger unexpected network/file activity unrelated to the stated task.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes Create/Update/Modify/Set operations but does not include a clear user-facing warning that these actions can change cloud resources or data. In a cloud administration context, omission of that warning is more dangerous because users may run the skill expecting read-only diagnostics and unintentionally perform destructive or costly mutations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to source Alibaba Cloud credentials from environment variables and shared credential files without warning that these are sensitive secrets that must not be logged, echoed, or written to artifacts. Because the skill also uses network and file-write behavior, the surrounding context increases risk of accidental credential disclosure in outputs, debugging logs, or outbound requests.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal