Back to skill

Security audit

Alicloud Security Content Moderation Green

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Alibaba Cloud Content Moderation helper that uses normal cloud-management credentials and writes local API inventory files without evidence of hidden or unsafe behavior.

Install this only if you want an agent to inspect or change Alibaba Cloud Content Moderation resources. Use a least-privilege Alibaba Cloud access key, confirm every create/update/modify/set action before it runs, and review or delete generated output files if they contain internal cloud details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires access to environment variables, network, and file writes, but does not declare these permissions explicitly. This creates a transparency and governance gap: the agent may access Alibaba Cloud credentials from the environment, make outbound API requests, and persist data locally without the permission model clearly signaling those capabilities to reviewers or users.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.