ClawHub

Aliyun Cloudauth Verify

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Alibaba Cloud Cloudauth helper that uses expected cloud credentials and API calls for its stated purpose.

Install only if you want an agent to help manage Alibaba Cloud Cloudauth. Use a least-privilege AccessKey, verify the region and resource IDs, and approve create/update/modify/set actions before they run. Do not place credential values in saved evidence files or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill directs use of environment variables, local credential files, network access to Alibaba endpoints, and writing artifacts to disk, but it does not declare these capabilities as permissions. That creates a transparency and consent gap: an agent or reviewer may underestimate that the skill can access secrets, make outbound requests, and persist potentially sensitive API outputs locally.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description is broad enough to trigger on generic configuration, status, or troubleshooting tasks, which raises the chance the skill is used in situations where cloud credentials, resource changes, or network calls were not intended. In an agent setting, overbroad routing increases the risk of unnecessary credential exposure or accidental mutation of identity-verification resources.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the use of AccessKey environment variables and a shared credential file but does not include an explicit warning about sensitive secret handling, redaction, storage, or exposure in logs and artifacts. In a cloud-identity workflow, this is especially dangerous because mishandled Alibaba credentials could enable unauthorized API access, account abuse, or wider compromise of identity-verification resources.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal