huawei-cloud-cce-env-assessment

Security checks across malware telemetry and agentic risk

Overview

This Huawei Cloud assessment skill has a legitimate purpose, but it asks for powerful cloud credentials and handles them in ways that need careful review before use.

Install only if you are comfortable giving the skill access to your Huawei Cloud account and cluster metadata. Use a tightly scoped, temporary credential if possible, run it in an isolated environment, review the repository URL before allowing clone, avoid sudo unless you intentionally approve a specific command, and remove any saved credentials or generated artifacts after the assessment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "-H", f"Host: {host}", url ] r = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, timeout=30) if log_mode: return r.stdout if r.returncode == 0 else None
Confidence: 94% confidence
Finding: r = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"Cloning {DOCKERFILE_REPO_URL} -> {app_repo} (depth=1, sparse on api/web)...", file=sys.stderr) # Use sparse-checkout to only pull needed directories, speeding up download try: subprocess.run(["git", "clone", "--filter=blob:none", "--depth=1", "--no-checkout", DOCKERFILE_REPO_URL, str(app_repo)], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) subprocess.run(["git", "-C", str(app_repo), "sparse-checkout", "init", "--cone"],
Confidence: 89% confidence
Finding: subprocess.run(["git", "clone", "--filter=blob:none", "--depth=1", "--no-checkout", DOCKERFILE_REPO_URL, str(app_repo)], check=True, stdout=subpr

subprocess module call

Medium

Category: Dangerous Code Execution
Content: date_str = now.strftime("%Y-%m-%dT%H:%M:%S") + "Z" def make_request(): r = subprocess.run( ["curl", "-s", "-X", "POST", url, "-H", "Content-Type: application/json", "-d", json.dumps({
Confidence: 96% confidence
Finding: r = subprocess.run( ["curl", "-s", "-X", "POST", url, "-H", "Content-Type: application/json", "-d", json.dumps({ "aut

Tainted flow: 'cmd' from os.environ.get (line 171, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: "-H", f"Host: {host}", url ] r = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, timeout=30) if log_mode: return r.stdout if r.returncode == 0 else None
Confidence: 95% confidence
Finding: r = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, timeout=30)

Tainted flow: 'DOCKERFILE_REPO_URL' from os.environ.get (line 16, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: print(f"Cloning {DOCKERFILE_REPO_URL} -> {app_repo} (depth=1, sparse on api/web)...", file=sys.stderr) # Use sparse-checkout to only pull needed directories, speeding up download try: subprocess.run(["git", "clone", "--filter=blob:none", "--depth=1", "--no-checkout", DOCKERFILE_REPO_URL, str(app_repo)], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) subprocess.run(["git", "-C", str(app_repo), "sparse-checkout", "init", "--cone"],
Confidence: 92% confidence
Finding: subprocess.run(["git", "clone", "--filter=blob:none", "--depth=1", "--no-checkout", DOCKERFILE_REPO_URL, str(app_repo)], check=True, stdout=subpr

Direct flow: os.environ.get (credential/environment) → subprocess.run (code execution)

High

Category: Data Flow
Content: date_str = now.strftime("%Y-%m-%dT%H:%M:%S") + "Z" def make_request(): r = subprocess.run( ["curl", "-s", "-X", "POST", url, "-H", "Content-Type: application/json", "-d", json.dumps({
Confidence: 97% confidence
Finding: r = subprocess.run( ["curl", "-s", "-X", "POST", url, "-H", "Content-Type: application/json", "-d", json.dumps({ "aut

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instruction to retry with sudo on permission errors introduces unnecessary privilege escalation for a read/collect/report workflow. If followed by an agent, this could grant scripts or commands elevated access to the local system, magnifying the impact of mistakes, malicious dependencies, or compromised tooling.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: Although presented as an assessment skill, the workflow directs package installation, pip upgrades, virtual-environment setup, and directory cleanup on the local machine. These actions modify the host environment and expand risk beyond passive assessment, especially when dependencies may be fetched from external sources.

Description-Behavior Mismatch

Low

Confidence: 79% confidence
Finding: The instruction to explore alternative retrieval methods when collection fails broadens the skill beyond a fixed, reviewable workflow. In a security-sensitive context, open-ended fallback behavior can lead to unvetted commands, unexpected data access, or expansion into additional systems and APIs.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill says the AI must not perform operations not explicitly listed, but elsewhere authorizes exploring alternative retrieval methods. This contradiction undermines enforceable boundaries and creates ambiguity that an agent could resolve unsafely by performing broader actions than a reviewer expects.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill claims to assess a Huawei Cloud CCE environment but also clones and scans an external source repository automatically. That is a scope-expanding behavior with separate trust assumptions and network effects, making the skill more dangerous because it performs additional unprompted data collection from untrusted remote sources.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script reads raw Huawei Cloud access keys from environment variables and injects them into CLI arguments for downstream commands. This is dangerous because command-line arguments are commonly visible to other local processes and telemetry systems, increasing the chance of credential theft and cloud-account compromise.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The collector reaches into additional Huawei Cloud services like AOM, LTS, and HSS beyond core CCE/Kubernetes assessment. In context, this makes the skill more sensitive because it aggregates broader account telemetry and security data than the user may expect from a cluster-environment assessment.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill asks users to provide Huawei Cloud AK/SK credentials and stores them in environment variables without prominent warnings about sensitivity, retention, masking, or safer alternatives. Because these credentials can enable broad cloud API access, mishandling could expose or misuse the user's cloud account.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow instructs deletion of historical contents under data/ and artifacts/ without an explicit warning that existing files will be destroyed. This can cause unintended data loss, and in an automated context users may not realize the cleanup is destructive before execution begins.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Directing use of sudo without a clear warning about privilege escalation risks normalizes unsafe execution behavior. In combination with shell commands, dependency installation, and external tooling, elevated execution substantially increases the damage possible from operator error or compromised components.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide instructs users to download and execute a remote shell script directly, including a non-interactive mode, without any integrity verification, pinning, or warning about the trust boundary. If the distribution endpoint, DNS, TLS trust chain, or hosted script is compromised, users could execute arbitrary code on their systems immediately.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The uninstall and cleanup sections include destructive rm -f/rm -rf commands with no explicit warning, confirmation step, or validation guidance. While intended for legitimate cleanup, these commands can cause irreversible data loss if copied blindly, run in the wrong environment, or adapted incorrectly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Repository cloning occurs automatically with no user-facing warning or consent. In a security assessment skill, silent outbound retrieval of external code is risky because it can surprise users, access unintended endpoints, and pull adversarial content into the analysis environment.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Sensitive cloud credentials are transmitted through an external subprocess call without clear warning to the user. Combined with direct AK/SK handling, this creates a substantial risk of secret leakage in process metadata, debugging tools, and local observability pipelines.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to prompt for, display, and persist Huawei Cloud AK/SK credentials as normal workflow state. These are highly sensitive secrets; exposing them in chat, logs, environment variables, or output artifacts can lead to account compromise and unauthorized access across cloud resources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal