ClawHub

Aliyun Cli Manage

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Alibaba Cloud CLI management, but it should be reviewed because it can automatically download and replace an executable before using powerful cloud credentials.

Install only if you are comfortable with the auto-installer replacing the local aliyun binary from a latest download. Prefer installing the Alibaba Cloud CLI yourself from verified official instructions, use a dedicated least-privilege credential/profile, review any create/update/delete command before it runs, and clean or protect output/aliyun-cli-manage if it contains cloud resource details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'target' from os.getenv (line 115, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
extracted = td_path / member.name
            if not extracted.exists():
                raise RuntimeError("extracted aliyun binary missing")
            shutil.copy2(extracted, target)
    mode = target.stat().st_mode
    target.chmod(mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
Confidence
94% confidence
Finding
shutil.copy2(extracted, target)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly uses powerful capabilities including shell execution, network downloads, environment-based credential handling, and file system writes, but it does not declare permissions or constraints. This is dangerous because operators and orchestration systems cannot accurately assess or sandbox the skill, increasing the chance of unintended command execution, credential exposure, or unauthorized modification of the local environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose suggests generic Alibaba Cloud CLI operations, but the documented behavior also includes downloading binaries from the internet, installing or overwriting executables, and performing automatic updates with persistent local state. That mismatch is dangerous because users may invoke the skill expecting only API usage while it also changes the host environment and trust boundary by fetching and installing executable code.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This skill includes installer/updater behavior that downloads and replaces executable code, which exceeds the declared scope of merely managing Alibaba Cloud resources via CLI. Hidden installation behavior is dangerous because users or orchestrators may invoke the skill expecting operational commands, not local software modification and execution-path changes.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script automatically downloads an executable archive from the network and installs the contained binary, but this behavior is not disclosed in the skill description and lacks integrity verification such as a pinned checksum or signature check. That creates a software supply-chain risk: if the download source, TLS trust, CDN path, or archive contents are compromised, the script will install untrusted code.

Session Persistence

Medium
Category
Rogue Agent
Content
## Validation

```bash
mkdir -p output/aliyun-cli-manage
python skills/platform/cli/aliyun-cli-manage/scripts/ensure_aliyun_cli.py --help > output/aliyun-cli-manage/validate-help.txt
```
Confidence
84% confidence
Finding
mkdir -p output/aliyun-cli-manage python skills/platform/cli/aliyun-cli-manage/scripts/ensure_aliyun_cli.py --help > output/aliyun-cli-manage/validate-help.txt ``` Pass criteria: command exits 0 and

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal