Back to skill

Security audit

HC DWS CPU Diag Test3

Security checks across malware telemetry and agentic risk

Overview

This DWS diagnosis skill is not clearly malicious, but it should be reviewed because its setup docs expand into unrelated OBS tooling and expose cloud credential-handling risks.

Install only after confirming you need this skill to run local hcloud commands or the DWS MCP server, and do not follow the OBS/obsutil setup unless you separately require OBS access. Use least-privilege DWS read-only credentials, avoid putting AK/SK values on command lines or in shared files, and treat generated HTML reports as sensitive operational data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to write an HTML file into the workspace, creating a filesystem side effect that is not disclosed in the manifest’s declared outputs or tool surface. Undisclosed file writes are dangerous because they can overwrite artifacts, leak sensitive diagnostic data into persistent storage, or be chained with downstream automation that trusts workspace contents.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill directs execution of local shell/CLI commands such as `hcloud` and `python -c`, but the manifest only allowlists MCP tools. This expands the effective capability beyond the declared interface, undermines tool sandboxing assumptions, and can expose the host environment to command execution risks or unintended access to local configuration and credentials.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims the output only contains a diagnosis report, but later adds a file-save side effect. This inconsistency is dangerous because reviewers, orchestrators, or users may rely on the earlier statement and not anticipate persistence of potentially sensitive cluster diagnostic data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file is materially mismatched with the declared skill purpose: it presents installation guidance for Huawei Cloud OBS tooling and object storage statistics rather than a DWS CPU diagnosis workflow. In a security-sensitive agent context, such capability drift can cause operators or downstream automation to install and configure unrelated tools, expand privileges unnecessarily, and expose credentials to the wrong subsystem.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide provides extensive OBS-specific operational and credential guidance that is not justified by a DWS CPU diagnosis skill. This unnecessary capability expansion can prompt users to configure obsutil, grant extra IAM/OBS permissions, and perform bucket access tests unrelated to the skill, increasing attack surface and the chance of credential misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates saving the generated report into the workspace without warning the user or requesting consent. Silent persistence of diagnostics can expose cluster IDs, hostnames, usernames, SQL text, and operational details to other processes or future sessions that can read workspace files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The obsutil example places AK/SK directly on the command line without warning that secrets may be captured in shell history, terminal logs, audit systems, or visible to other local users via process inspection. Because this is an installation guide, readers are likely to copy-paste the command verbatim, making credential exposure more likely in real environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to place AK/SK in plaintext in a YAML file and also shows passing secrets directly on the command line via --ak/--sk. Even if the software later encrypts stored values, plaintext-at-entry and CLI argument exposure can leak secrets through shell history, process listings, terminal logs, CI logs, or screenshots, which is particularly sensitive because these credentials authorize cloud API access.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.