Back to skill

Security audit

HC DWS CPU Diag Test

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at Huawei Cloud DWS diagnosis, but it asks users to handle powerful cloud credentials in unsafe ways and includes unrelated OBS storage setup guidance.

Review this before installing. Use only least-privilege Huawei Cloud credentials, avoid command-line or plaintext AK/SK examples, remove or ignore the OBS setup unless the publisher explains why it is needed, and do not save diagnostic reports containing SQL or host details unless the storage location is private and temporary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a bounded diagnosis workflow using listed tools, but it additionally instructs the agent to save an HTML file to the local workspace. That creates an unannounced side effect outside the declared tool scope and can write potentially sensitive diagnostic content to disk without user awareness or consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The workflow instructs execution of local shell/CLI commands such as `hcloud version` and other `hcloud` invocations, even though the allowed-tools list only names MCP tools. This expands the execution surface beyond the declared tool boundary and can permit unintended command execution paths, environment probing, and use of locally configured credentials.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The skill states that output only contains the diagnosis report, but later adds a local file-writing action. This mismatch is dangerous because it hides a persistence side effect from users and reviewers, undermining trust and making data handling behavior harder to assess.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file is presented as part of a DWS CPU diagnosis skill, but the title and instructions are for OBS object storage tooling and bucket-related CLI usage. This scope mismatch can mislead users into installing and configuring unrelated tools and credentials, increasing the chance of unnecessary credential exposure and unintended access to storage resources.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document includes OBS storage authentication, bucket listing, endpoint configuration, and obsutil usage that do not align with a CPU diagnosis skill. In this context, unrelated operational steps expand the attack surface by prompting users to configure broad cloud storage credentials and perform actions outside the expected diagnostic scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically saving the generated HTML report to the workspace creates a local artifact containing cluster identifiers, hostnames, SQL text, and diagnosis details, but the user is not warned. In shared or persistent environments, this can expose sensitive operational or query information to other processes or users.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The obsutil configuration example places the access key and secret key directly on the command line, which can leak secrets through shell history, process listings, audit logs, or terminal recording. Unlike the hcloud non-interactive example, this section does not provide an adjacent warning, making unsafe secret handling more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly tells users to place AK/SK in plaintext in a YAML configuration file before encryption occurs later, which creates a window where highly sensitive cloud credentials may be stored on disk, copied into backups, committed to source control, or exposed through local file access. In the context of a cloud operations skill that accesses DWS monitoring APIs, compromise of these credentials could enable unauthorized access to cloud resources and monitoring data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing AK/SK directly as command-line arguments exposes secrets to process listings, shell history, audit logs, crash reports, and terminal recording tools. Because this skill is intended for diagnosing Huawei Cloud DWS environments, leaked credentials could be reused to query or manipulate cloud resources depending on IAM scope, making the documentation materially dangerous in operational environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.