Back to skill

Security audit

Aliyun Ecs Manage

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Alibaba Cloud ECS management tool, but it needs Review because it can run arbitrary commands on cloud servers with active cloud credentials and little built-in safety friction.

Install only if you intentionally want an agent to administer Alibaba Cloud ECS. Use temporary or least-privilege RAM credentials, prefer read-only credentials for inventory, review every lifecycle/disk/snapshot/security-group action, and require explicit human approval before using the remote command helper on production instances.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly relies on environment-based credentials and writes artifacts to local output paths, but it does not declare those capabilities as permissions. Hidden or undeclared capabilities reduce transparency for reviewers and users, making it easier to over-trust the skill and harder to apply least-privilege controls. In a cloud-management skill handling AccessKeys and writing command output, this is materially relevant.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description presents it as a general ECS management tool, but the body includes materially more sensitive behaviors: querying CloudMonitor metrics and, more importantly, running arbitrary remote commands on ECS instances via Cloud Assistant. This mismatch can mislead operators about the true power of the skill, causing unsafe invocation in contexts where remote execution was not expected or approved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides a ready-to-use pathway for arbitrary shell command execution on ECS instances but does not prominently warn about the security and operational consequences. Remote command execution can expose secrets, alter system state, establish persistence, or disrupt workloads; omitting warnings increases the chance of accidental or unauthorized misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill enumerates destructive or irreversible operations such as deleting instances, replacing/resetting disks, deleting snapshots/images, and modifying security groups without clear user-facing cautions. In a cloud administration context, this can normalize dangerous actions and increase the risk of accidental data loss, downtime, or exposure through incorrect automated use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs remote command execution immediately once invoked, with no built-in confirmation, safety interlock, or friction for a destructive action. In an agent context, this increases the chance of accidental or prompt-induced execution of harmful commands against production ECS instances.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script emits the full command text and decoded stdout/stderr either to stdout or a file without any redaction or warning. Remote command output often contains secrets, configuration data, tokens, host details, or customer data, so this behavior can leak sensitive information into logs, terminals, artifacts, or downstream systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.