huawei-cloud-ces-ecs-monitoring

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly a Huawei Cloud ECS monitoring helper, but its documentation recommends broader cloud permissions and privileged installation actions than monitoring needs.

Install only if you are comfortable using Huawei Cloud CLI with cloud credentials. Prefer the minimum read-only IAM policy, avoid the full-access/project-scoped examples unless you explicitly need them, do not paste secrets into chat, and review any curl/bash, sudo, or rm -rf command before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The document includes an ECS resource modification example (`TagServer`) in a skill whose stated purpose is monitoring and metrics query. Even though tagging is a relatively low-risk write action, it expands the operational scope from read-only monitoring to infrastructure mutation, which can normalize or enable unintended state changes if an agent follows the documentation literally.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The best-practices document expands the skill beyond passive monitoring into alert delivery, notification integration, and automated scaling triggers. In agent contexts, this is dangerous because it can cause the model to infer authority to perform external actions or infrastructure changes that are not declared in the manifest, creating scope creep from observation into control-plane automation.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The file is an installation guide for a general-purpose cloud administration CLI, not documentation for an ECS monitoring-only skill. This scope mismatch increases the chance that users are guided into unnecessary privileged setup and broader service access beyond the skill's stated purpose, expanding attack surface and enabling misuse.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Describing KooCLI as a tool for managing 100+ cloud services is unjustified for a monitoring-focused skill and encourages use of a broad administrative interface. In this context, providing setup for multi-service administration can lead to over-privileged credentials and actions unrelated to monitoring.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is described as an ECS monitoring capability, but the IAM guidance expands into optional control-plane actions such as remote console access and instance operations. This increases the privilege footprint beyond read-only monitoring and can normalize granting unnecessary access that could be abused for disruption or deeper instance access if the skill, operator, or surrounding workflow is compromised.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The 'full functionality' policy introduces alarm-management and IAM user/permission enumeration capabilities not required for core ECS metric monitoring. Overbroad recommendations like these can lead administrators to grant powerful permissions by default, expanding blast radius and exposing account metadata useful for reconnaissance.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The project-scoped example includes `ecs:cloudServers:action` plus wildcard alarm permissions such as `ces:alarms:*`, `ces:alarmTemplates:*`, and `ces:alarmRules:*`. Even with project scoping, these broad actions exceed simple monitoring and could enable disruptive changes, alarm tampering, or unauthorized operational actions within the project.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Guidance for creating IAM users, attaching policies, and generating access keys teaches administrative credential provisioning that is not justified by a monitoring-only skill. This can encourage users to create long-lived machine credentials and broaden access administration practices beyond the skill's necessary scope.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list contains very broad phrases such as "CPU usage," "memory usage," "disk IO," and "network traffic," which are common across many cloud, systems, and general troubleshooting conversations. This can cause the skill to activate outside its intended Huawei Cloud CES/ECS context, leading to unintended command suggestions or cloud-environment assumptions in unrelated user requests.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The guide instructs users to download and immediately execute a remote shell script, including a non-interactive mode that suppresses confirmation. This is dangerous because any compromise of the hosting location, network path, or script contents results in arbitrary code execution on the user's machine, potentially with elevated privileges.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The manual install steps place binaries into /usr/local/bin using sudo without prominently warning that this modifies system paths and requires elevated privileges. While common in installation docs, in a skill context this can normalize privileged execution for users who may not need system-wide installation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The uninstall and cleanup sections include irreversible rm commands that delete binaries, configuration, and cached data without a clear warning. Users may accidentally remove credentials, profiles, or operational artifacts needed for recovery or audit.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The credential configuration examples show access key and secret key usage via environment variables and plaintext config files without strong warnings about secret handling. Users may inadvertently expose credentials through shell history, process listings, backups, or improperly protected files, leading to account compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal