Back to skill

Security audit

huawei-cloud-ascendc-operator-performance-optim

Security checks across malware telemetry and agentic risk

Overview

The skill matches AscendC profiling work overall, but needs review because its helper workflows can run local build/binary code and delete profiler output without confirmation.

Install only if you are intentionally working on AscendC/CANN operator code. Run the helper scripts only in a disposable or backed-up operator directory, inspect project build/run scripts first, avoid chmod 777 on shared systems, and preserve any OPPROF_* results you still need before profiling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill metadata and visible documentation present the capability as guidance for AscendC operator optimization, but the analyzed behavior indicates it may also execute external build/run scripts in user-supplied operator directories, invoke profiling tools against arbitrary targets, and delete profiling output directories with broad shell patterns. That combination creates command execution and destructive filesystem risk that is materially more dangerous than the declared read/analyze/advise scope, especially in a skill intended to operate on arbitrary operator code paths.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes generic terms such as "performance" and broad optimization phrases, which can cause the skill to activate in contexts unrelated to AscendC operator development. Over-broad activation increases the chance that the agent applies privileged tooling or operational guidance to the wrong task, raising the probability of unintended command execution or misuse when combined with tools like bash and python3.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The troubleshooting guidance recommends `chmod 777 /tmp/opprof`, which makes the profiling directory world-writable and world-accessible without any warning or constraint. On multi-user systems this can enable unauthorized modification, deletion, or symlink-based abuse of profiling outputs and can expose sensitive runtime artifacts, making it an unsafe operational practice.

Missing User Warnings

Low
Confidence
85% confidence
Finding
These instructions direct the user to edit source files and rebuild the operator, which changes the local workspace and can introduce unintended modifications if followed blindly. In a security review context, the main risk is undisclosed side effects and execution of newly built code rather than overtly malicious behavior.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The end-to-end script copies directories, runs build scripts, and executes local binaries and profiling tools without any safety warning or confirmation. This is more dangerous because a single pasted script can modify the workspace and run untrusted local code paths end-to-end, which could trigger harmful behavior if the project files or binaries are compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script unconditionally runs `rm -rf OPPROF_*` in the supplied operator directory, which can delete all matching profiling output without confirmation, backup, or scope validation. In an optimization/profiling workflow this may be expected cleanup, but it still risks unintended data loss if prior profiling artifacts are needed or if the script is run in the wrong directory.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script unconditionally runs `rm -rf OPPROF_*` after changing into a user-supplied operator directory, which can delete all matching profiling directories without confirmation, backup, or validation of the working directory. In this skill context the script is intended for local build/profiling workflows, so the issue is likely accidental rather than malicious, but it still creates a real risk of unintended data loss if run in the wrong directory or if important artifacts match the pattern.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.