Back to skill

Security audit

ACME SSL automation for Alibaba Cloud ESA DNS

Security checks across malware telemetry and agentic risk

Overview

This skill performs the disclosed certificate-renewal workflow, but it should be installed only by users who are comfortable granting DNS-changing cloud credentials and optional root cron automation.

Use a least-privilege RAM sub-account, prefer short-lived STS credentials, restrict AccessKey use by IP allowlist, and review any --ensure-a-record, --install-cert, --reload-cmd, and cron settings before running. Avoid using long-lived primary-account keys, and remove or rotate the stored cron credentials if the host is shared or later decommissioned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities to read environment secrets, invoke shell commands, access the network, and potentially write system files or alter Nginx configuration, yet no explicit permissions are declared. This creates a trust and review gap: users and hosting platforms may not realize the skill can access Alibaba Cloud credentials and perform external DNS or host changes, increasing the chance of secret exposure or unintended privileged actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as certificate issuance/renewal automation, but it also exposes functionality to create or overwrite arbitrary A/AAAA DNS records via --ensure-a-record. This expands the capability beyond the stated scope and can let a caller repoint production hostnames to attacker-controlled IPs, causing traffic hijack or outage if the skill is invoked in a broader automation context.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The main flow always parses and executes requested A/AAAA record changes before certificate issuance, giving the tool general DNS mutation capability not justified by its declared purpose. In agent environments, hidden extra powers are dangerous because users or orchestrators may trust the skill for cert automation without realizing it can alter live routing records.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description presents certificate issuance/renewal, but the implementation also allows creating and overwriting arbitrary A/AAAA DNS records via --ensure-a-record. This scope expansion increases the chance that users grant the skill broader trust or permissions than expected, enabling unintended DNS changes that could redirect traffic or cause outages.

Credential Access

High
Category
Privilege Escalation
Content
fi

if [[ -z "$ENV_FILE" ]]; then
  ENV_FILE="/root/.config/esa-acme-${WRAPPER_NAME}.env"
fi
if [[ -z "$WRAPPER" ]]; then
  WRAPPER="/usr/local/sbin/esa-acme-${WRAPPER_NAME}-renew"
Confidence
91% confidence
Finding
.env"

Session Persistence

Medium
Category
Rogue Agent
Content
existing=$(mktemp)
newtab=$(mktemp)
crontab -l 2>/dev/null > "$existing" || true
grep -vF "$WRAPPER" "$existing" > "$newtab" || true
printf '%s %s >> %s 2>&1\n' "$SCHEDULE" "$WRAPPER" "$LOG_FILE" >> "$newtab"
crontab "$newtab"
Confidence
93% confidence
Finding
crontab -l

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.