ClawHub

Aliyun Esa Manage

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Alibaba Cloud ESA management skill, but it gives an agent broad power to publish or delete live cloud resources and save analytics without enough safeguards.

Install only if you intend to let the agent administer Alibaba Cloud ESA. Use a dedicated least-privilege RAM role, avoid root or account-wide keys, require explicit confirmation for production deploys and deletes, review target site/routine/domain/namespace IDs before changes, pin SDK versions, and treat exported analytics files as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of environment variables for Alibaba Cloud credentials, outbound API calls to Alibaba endpoints, and writing artifacts under an output directory, but it does not declare permissions for env, network, or file_write. That mismatch creates hidden capability risk: an agent or reviewer may underestimate that the skill can access secrets, modify local files, and make authenticated changes to cloud resources.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The 'Use when' triggers are broad enough to match many generic cloud-management situations, increasing the chance the skill is invoked automatically in contexts broader than intended. Because the skill includes destructive actions like deleting sites, changing DNS, publishing edge code, and modifying cache behavior, over-broad routing can lead to high-impact accidental use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents deletion and live configuration operations for sites and DNS without prominent warnings about production impact, propagation effects, or outage risk. In this context, modifying or deleting ESA sites, DNS records, cache rules, or access types can break availability, misroute traffic, or remove acceleration for live domains.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation and sample code explicitly deploy to both staging and production by default without requiring an explicit confirmation step or warning about the operational impact. In an infrastructure-management skill, this increases the chance of unintended live changes, outages, or accidental publication of unreviewed content because users may copy the example directly into automation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script automatically writes queried ESA analytics data to a local JSON file, and the exported fields can include sensitive operational data such as client IPs, hosts, paths, queries, referrers, and user agents depending on the chosen dimension. This is risky because the persistence is implicit and may create unprotected local copies of sensitive telemetry without clear user awareness or controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal