Alicloud Platform Openapi Product Api Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Alibaba Cloud API-discovery helper whose credential, network, and file-output behavior matches its stated purpose.

Before installing, confirm you are comfortable letting it query Alibaba Cloud metadata with provided credentials. Use narrowly scoped read-only or temporary credentials, keep endpoint variables pointed at official Alibaba Cloud domains, and review generated inventory files before sharing them because they may reveal cloud product and API context.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs execution of multiple Python scripts that use environment variables, file I/O, and network access, yet it declares no permissions or capability boundaries. This creates a transparency and policy-enforcement gap: an agent or reviewer cannot reliably understand or restrict what the skill is allowed to access before execution, increasing the chance of over-privileged runs, unintended credential use, or data exfiltration through networked scripts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal