ClawHub

Aliyun Anytrans Translate

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud translation-service helper that discloses its credential sources, API access, and local output directory.

Install only if you want an agent to work with Alibaba Cloud TongyiTranslate/AnyTrans. Use dedicated least-privilege credentials, avoid broad shared profiles, review any create/update/modify action before it runs, and keep generated output files free of secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill instructs use of environment variables, network access to Alibaba Cloud metadata endpoints, and local file writes, but does not declare these capabilities or permissions explicitly. That creates a transparency and review gap: an operator may invoke the skill without realizing it can access credentials, make outbound requests, and persist data to disk, increasing the chance of unintended secret exposure or unauthorized side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs the agent to source Alibaba Cloud credentials from environment variables and a shared credentials file, but provides no safety guidance on secret handling, redaction, or avoiding persistence of sensitive values. In a skill that also uses network access and writes artifacts locally, this raises the risk of accidental credential disclosure through logs, outputs, debugging, or misuse of a more-privileged shared profile.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal