huawei-cloud-iam-query

Security checks across malware telemetry and agentic risk

Overview

This is mostly a read-only Huawei Cloud IAM query skill, but its setup path and security defaults deserve manual review before installing.

Install only if you are comfortable giving the skill Huawei Cloud IAM read access and allowing its setup script to create a virtual environment and install packages. Prefer temporary, least-privilege credentials, avoid using it on sensitive hosts until TLS verification and dependency pinning are fixed, and treat any printed IAM user, policy, MFA, and access-key metadata as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The body of the skill describes broad cloud resource discovery across images, disks, specs, and general inventory collection rather than IAM-only queries. This scope inflation increases the chance of over-collecting sensitive cloud metadata and using credentials beyond the user’s expected intent, which is especially risky in an identity-focused context.

Description-Behavior Mismatch

High

Confidence: 91% confidence
Finding: The capability section advertises generalized resource listing and dependency analysis beyond IAM. In practice, that broadens the reachable attack surface and can facilitate reconnaissance of the wider Huawei Cloud environment under the guise of an IAM read-only lookup.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The execution flow instructs the agent to consult arbitrary `references/<service>` and run arbitrary `scripts/<service>` categories, implying a generic multi-service automation package. That makes the skill more dangerous because the documented execution pattern is extensible to services outside IAM, allowing unintended cloud reconnaissance or execution paths hidden behind a narrow manifest description.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The directory and best-practice sections describe a reusable multi-resource cloud query framework rather than a narrowly scoped IAM skill. This mismatch matters because it normalizes broader discovery behavior and increases the likelihood that operators will run scripts against unrelated cloud assets using IAM-supplied credentials.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The environment helper advertises IAM query setup but its docstring states it also validates project-level service availability via real ECS API calls. That expands credential use and cloud visibility beyond the skill's stated IAM-only scope, violating least privilege and surprising users with additional cloud access.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script creates a virtual environment and re-executes itself automatically, introducing local process and environment mutation unrelated to simple IAM querying. In skill context, this makes the package more dangerous because a read-only cloud query tool should not silently alter local execution state without explicit consent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script attempts privileged OS-level package installation using sudo, winget, yum, dnf, and brew. For an IAM read-only query skill, invoking system package managers is unjustified and can significantly alter the host, creating a high-risk trust boundary violation if users run it expecting only cloud reads.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script downloads remote get-pip.py code and executes it locally, while globally disabling TLS certificate verification elsewhere in the file. This creates a severe remote code execution supply-chain risk, especially dangerous in a skill that should only perform read-only IAM queries and may be trusted with cloud credentials in the environment.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The module description frames the script as environment preparation for cloud querying, but much of the implementation mutates the local machine by installing Python, pip, and packages. This mismatch weakens informed consent and can mislead users into running a host-modifying script under the assumption it is only a harmless read-only helper.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script enumerates IAM permanent access keys and prints the access key identifiers (`access`) along with user IDs and status directly to stdout. While it does not expose secret keys, access key IDs are still sensitive credential metadata that can aid reconnaissance, be captured in logs, terminals, or transcripts, and are especially risky in an agent/tooling context where output may be persisted or shown to unintended parties.

Unpinned Dependencies

Low

Category: Supply Chain
Content: huaweicloudsdkcore>=3.1.0 huaweicloudsdkiam>=3.1.0
Confidence: 93% confidence
Finding: huaweicloudsdkcore>=3.1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: huaweicloudsdkcore>=3.1.0 huaweicloudsdkiam>=3.1.0
Confidence: 93% confidence
Finding: huaweicloudsdkiam>=3.1.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal