ClawHub
Back to skill

Security audit

txcloud-diagnostics

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud diagnostics skill is purpose-related, but it needs Review because it can start cloud authentication and run remote shell commands on instances without strong consent or enforcement boundaries.

Install only with a least-privilege Tencent Cloud account. Review every target instance, metric scope, and TAT command before it runs; avoid granting broad admin credentials; do not use this on shared machines unless /tmp auth files and logs are protected and cleaned up after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell commands, reads local profile files, and writes sensitive data to /tmp, yet declares no permissions or trust boundaries. This makes its effective capabilities opaque to the platform and users, increasing the chance of unauthorized file access, command execution, or unsafe handling of credentials during routine use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is diagnostics, but the instructions also perform credential bootstrapping, persistence via a background daemon, local secret storage, and broader cloud resource queries. That mismatch is dangerous because users may consent to a benign-seeming diagnostic action without realizing the skill can initiate authentication flows and manipulate credential material on disk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script claims to be a pure executor for the explicitly supplied target, but it silently expands scope by enumerating attached CBS disks and collecting additional metrics. In an agent setting, this violates least surprise and least privilege: a user/request scoped to one resource can trigger access to related resources and metadata that were not explicitly authorized as input.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module documentation explicitly states that the script does not perform mapping, inference, or behavior beyond executing exact parameters, but the implementation performs implicit cross-resource discovery and diagnosis. In an agent skill, misleading capability boundaries are security-relevant because orchestrators and users may grant trust or permissions based on those stated constraints.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script is presented as a diagnostic prefetch tool, but it includes a hidden privilege expansion path that can remotely execute shell commands on cloud instances through TAT. That materially exceeds the stated purpose of metadata/metric collection and creates a powerful remote-execution capability in a context where users may not expect any command execution at all.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The exec_tat_command function accepts an arbitrary command string and sends it to Tencent Cloud TAT for execution on the target instance. Because there is no validation, allowlist, or sandboxing, any actor who can influence --exec-tat can run destructive commands, access secrets, modify systems, or establish persistence on managed hosts.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The help text claims the TAT feature is limited to read-only commands and CVM/Lighthouse, but the code enforces neither restriction. This mismatch is dangerous because operators or higher-level agents may trust the documentation and unknowingly expose broad remote command execution on unsupported or sensitive targets.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The profile explicitly instructs the agent to run active network probing commands such as ping, mtr, dig, curl, and nc against user-supplied target IPs, domains, and ports from inside customer instances. Even though framed as diagnostics, this enables arbitrary outbound reconnaissance from a privileged cloud asset and expands scope beyond inspecting the instance itself, which can be abused for scanning internal or external targets.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger scope covers essentially any Tencent Cloud-related anomaly, which can cause the skill to activate in many contexts and perform shell-based diagnostics too broadly. Overbroad triggering raises the risk of unintended execution, unnecessary data access, and surprise authentication requests in conversations that did not clearly ask for such actions.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
Forcing all user-supplied times into Beijing time without opt-in can mis-scope the diagnostic window and lead to analysis of the wrong monitoring data. While not a direct code-execution flaw, it can produce misleading conclusions and inappropriate remediation, especially for users or resources operating outside that timezone.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The CLI exposes remote command execution as a normal option without a prominent warning that commands will run on customer instances and that stdout/stderr will be retrieved and surfaced. In an agent skill context, this increases the chance of unsafe execution without informed consent and can lead to disclosure of sensitive host data in returned output.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly authorizes deeper diagnosis by remotely executing commands through TAT, but it does not require user consent, define safe command boundaries, or warn about the operational sensitivity of running commands on production instances. In a diagnostics skill, this increases the risk of unauthorized or unsafe actions on customer infrastructure, especially if an agent interprets this as implicit permission to execute invasive commands.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script writes the authorization URL, which contains login state and is part of an active authentication flow, to `/tmp/tccli_auth_link.txt`. On multi-user systems, predictable files in `/tmp` can be read, replaced, or raced by other local users or processes, exposing sensitive auth material or enabling interference with the login session.

Session Persistence

Medium
Category
Rogue Agent
Content
当 prefetch.py 返回 `auth_failed` 时执行:

```bash
nohup python3 -u scripts/tccli_auth_daemon.py > /tmp/tccli_daemon.log 2>&1 &
sleep 5 && cat /tmp/tccli_daemon.log && cat /tmp/tccli_auth_link.txt
```
Confidence
95% confidence
Finding
nohup

VirusTotal

38/38 vendors flagged this skill as clean.

View on VirusTotal