ClawHub

huawei-cloud-ascend-command

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Huawei Ascend NPU administration tool, but it exposes remote high-impact device control with weak scoping around raw command execution, confirmations, and credential handling.

Install only if you intentionally need an agent to administer Huawei Ascend NPUs. Prefer read-only use, SSH keys and least-privilege accounts, explicit device IDs, and manual review before any firmware, certificate, vNPU, ECC, fan, reset, or raw npu-smi command. Avoid command-line passwords and do not follow the chmod 666 troubleshooting step on shared or production systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This reference expands the skill from monitoring and routine management into materially more powerful configuration operations, including performance tuning, clock changes, secure boot changes, thermal threshold modification, and reset actions. Broadening documented capabilities beyond the declared scope increases the chance the agent exposes unsafe device-control paths to ordinary users and enables disruptive or security-relevant state changes on production NPUs.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Secure boot management is a security-sensitive control that affects the trust boundary of the device and should not be casually exposed through a natural-language skill. Even if only enabling is documented here, exposing this control outside a clearly justified administrative security workflow can cause lockout, operational disruption, or unsafe changes to platform security posture.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Factory reset is destructive and can wipe operational configuration across an accelerator device, causing downtime and loss of tuned or required settings. Including it in a broadly triggered natural-language skill makes accidental or unauthorized invocation far more plausible, especially in remote management scenarios.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file exposes generic command execution beyond the declared NPU-management scope via `execute_batch`, `test_flops_*`, and direct `_execute` use with commands like `mkdir`, `cat`, `rm`, and arbitrary command lists. In SSH mode this becomes remote shell execution, enabling misuse of the skill as a general command runner on managed hosts rather than a constrained hardware-management client.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`execute_batch` accepts a list of commands and concatenates them into a single command string, creating a generic multi-command execution primitive. This capability is unnecessary for the stated purpose and materially increases abuse potential because any caller who can influence the command list can execute unintended commands locally or remotely.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The top-level docstring states the client executes `npu-smi` commands, but the implementation also runs other binaries and shell-oriented command strings. This mismatch is dangerous because it can mislead reviewers, orchestrators, or users into granting trust and permissions appropriate for a narrow diagnostic tool while the code actually provides broader execution capability.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The batching docstring explicitly presents the feature as a generic command list executor, contradicting the skill's narrow NPU-management framing. In a security-sensitive automation context, this kind of capability broadening increases the chance that consumers unknowingly expose a general-purpose remote execution surface.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is very broad and includes generic terms such as 'power', 'compute', 'health', 'memory', and 'upgrade', which can cause the skill to activate for unrelated requests. In this skill, unintended invocation is more dangerous than usual because the capability set includes shell and SSH access and supports state-changing operations like firmware upgrade, ECC changes, and vNPU management.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill repeatedly documents passing SSH passwords on the command line (for example, using --password xxx), which exposes secrets through shell history, process listings, audit logs, and orchestration traces. This is especially risky in this context because the skill is designed for remote administration over SSH, so credential compromise could directly lead to unauthorized access to managed Ascend hosts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The acceptance criteria explicitly endorse SSH password-based access and remote command execution but omit warnings or safeguards around credential handling, host verification, and remote impact. In the context of an infrastructure-management skill capable of changing device state, this increases the risk of credential exposure, unsafe remote execution, and inadvertent administrative actions on production systems.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The natural-language trigger 'Install certificate'/'Import certificate' maps directly to a sensitive state-changing command that installs certificate material. Because the phrasing is broad and plausible in many benign support conversations, an agent could invoke this action unintentionally, leading to unauthorized trust-store changes or replacement of device certificates.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The phrase 'Renew certificate'/'Update certificate' is a broad natural-language trigger for a sensitive certificate-management action. In this skill context, renewal changes security credentials on production hardware, so ambiguous phrasing could cause unintended execution and service disruption or trust misconfiguration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Overly broad trigger phrases like 'Fan mode' or 'Fan speed' can match ordinary operator conversation and unintentionally route users into state-changing functionality. In a skill that includes sensitive configuration commands, ambiguous activation materially raises the risk of accidental invocation or confused-deputy behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase 'Performance mode' is ambiguous because it can be interpreted as either a request to display current settings or to modify them. In a device-management skill with privileged operations, that ambiguity increases the chance of incorrect intent resolution and unintended configuration changes affecting stability or performance.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases in this section include highly generic terms such as "Temperature," "Power usage," and "Memory info," which can match ordinary user language outside the intended Huawei Ascend NPU administration context. In a command-execution skill, overly broad activation can cause the agent to invoke infrastructure-query capabilities unexpectedly, increasing the chance of unintended system interrogation or information disclosure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
This range contains additional broad triggers like "Usage," "ECC," "Process info," "Topology," and default-target behavior that can silently route vague requests into device-management operations. Because this skill supports local and SSH remote modes and exposes operational telemetry, accidental activation is more dangerous here than in a read-only informational skill: it can reveal sensitive hardware/process details or drive follow-on administrative actions against the wrong device.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting guidance recommends `chmod 666 /dev/davinci*`, which grants world read/write access to NPU device nodes. Even though it notes this is 'less secure,' it does not clearly warn about the security consequences, and in this hardware-management context it could let unprivileged local users interact with accelerator devices, disrupt workloads, access device state, or abuse privileged hardware interfaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The verification guide demonstrates passing an SSH password directly on the command line for remote operations. This can expose credentials through shell history, process listings, logs, screenshots, and copied documentation, increasing the chance of credential disclosure during normal use. In this skill's context, the risk is amplified because the examples target administrative access to remote NPU devices and may encourage use of the root account.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The executor permits any input beginning with `npu-smi` to be sent directly to `self.client._run_npu_smi(...)` without validation, policy checks, or confirmation. In this skill's context, `npu-smi` can perform highly sensitive administrative actions such as configuration changes, firmware operations, virtualization changes, and certificate management, so bypassing the skill's confirmation logic enables destructive or unsafe device operations from a single natural-language interaction.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill accepts an SSH password via the `--password` command-line argument, which exposes credentials through shell history, process listings, audit logs, and orchestration metadata on many systems. Because this skill is explicitly designed for remote device administration, the risk is amplified: operator credentials may be unintentionally disclosed to other local users or captured by monitoring systems, enabling unauthorized access to Ascend hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The SSH path executes commands on a remote host immediately, with no built-in confirmation, consent checkpoint, or safety interlock. In the context of an agent skill, silent remote execution is especially risky because users may think they are only retrieving information while the code can perform state-changing actions on production devices.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The local execution path runs host commands without any explicit disclosure that the skill will spawn local processes. In an agent environment, undisclosed host execution expands trust assumptions and can surprise operators, especially when the same class also includes mutating and broader-than-advertised commands.

Missing User Warnings

High
Confidence
95% confidence
Finding
The class exposes configuration-changing operations such as ECC toggling, fan control, firmware actions, vNPU creation/destruction, and certificate threshold changes without warnings, confirmation, or authorization boundaries. These actions can alter device stability, availability, security posture, or firmware state, making accidental or unauthorized invocation materially harmful.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The FLOPS parallel test creates and deletes files under `/tmp` on the target host without disclosure, and does so using shell commands. In shared or sensitive environments, undisclosed filesystem side effects and predictable temp paths can interfere with other processes, expose data, or be abused through symlink/path manipulation depending on host conditions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal