Back to skill

Security audit

huawei-cloud-business-support-query

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly read-only, but it automatically installs/runs local setup code and uses Huawei Cloud credentials to access sensitive billing and infrastructure data with unsafe TLS handling.

Install only after reviewing the scripts and running them in an isolated environment with least-privilege, read-only Huawei Cloud credentials. Disable or fix SSL verification bypasses before using real account data, avoid automatic setup unless you accept network dependency installation, and treat printed billing/order/account identifiers as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (36)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 用 venv Python 重新执行当前脚本
    print(f"  使用虚拟环境 Python: {venv_python}")
    os.execv(venv_python, [venv_python] + sys.argv)

def info(msg):
    print(f"  {msg}")
Confidence
85% confidence
Finding
os.execv(venv_python, [venv_python] + sys.argv)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, accesses environment variables containing cloud credentials, and performs networked SDK/API calls, yet no permissions are declared to reflect those capabilities. This creates a trust-boundary problem: a caller may expect a harmless documentation/query skill, while execution can install dependencies, validate credentials, and contact cloud services using sensitive AK/SK material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest advertises a billing/pricing-only read skill, but the document actually describes a broader cloud resource inventory capability, including querying images, disks, networks, generic resources, IAM-derived project IDs, and running environment validation logic. This mismatch can cause the skill to be invoked in contexts where users do not expect broad infrastructure enumeration or dependency installation, increasing the risk of overcollection and unintended cloud access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The body of the skill documents general Huawei Cloud resource discovery, including specifications, images, disks, existing resources, and dependency mapping, which materially exceeds a billing/support query scope. In practice, this enables infrastructure reconnaissance under the guise of a finance-related skill, making sensitive cloud metadata accessible in situations where such breadth was not intended.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The stated capability scope advertises generic resource listing, detail queries, and dependency relationships rather than business-support-only billing operations. That contradiction broadens what can be queried with configured credentials and makes accidental invocation for unrelated requests more dangerous, because the skill can expose operational inventory beyond cost data.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The top-level documentation claims billing/pricing coverage, but the remainder defines a general cloud resource query workflow. This inconsistency is dangerous because reviewers and users may approve or invoke the skill based on a narrower understanding than its real operational behavior.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script is presented as a Huawei Cloud pricing inquiry tool, but it never calls any Huawei Cloud billing or pricing API and instead returns locally hard-coded estimates. In a billing-support skill, this can mislead users into treating approximate or stale values as authoritative pricing, creating business risk through inaccurate cost decisions.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The CLI description markets the script as a DCS pricing inquiry, but the implementation only performs a simple local formula calculation using fixed per-GB rates. This mismatch can cause users to rely on it as an official quote, especially in a financial context where precision and provenance matter.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code explicitly sets `ignore_ssl_verification = True`, disabling server certificate validation for Huawei Cloud API requests. This enables man-in-the-middle interception or response tampering by any attacker controlling the network path or a configured proxy, which is especially risky because the skill handles cloud access credentials and billing data.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script exposes ECS flavor enumeration capability, which goes beyond the declared billing/pricing-only scope of the skill. Scope expansion is dangerous because it gives users access to general infrastructure discovery primitives that can aid cloud reconnaissance and violate least-privilege expectations for a finance-focused skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code performs broad ECS specification discovery, including pagination, filtering, and sorting of available compute flavors, which is not necessary for a billing support skill as described. While read-only, this kind of metadata enumeration can help an attacker map available regions and instance types for follow-on abuse, and it weakens trust boundaries by embedding unrelated cloud discovery behavior in a financial assistant.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This billing/pricing query skill includes an environment bootstrapper that creates virtual environments, installs packages, and may invoke system package managers. That materially exceeds the advertised read-only business-support scope and expands the attack surface to local system modification and remote code supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script queries IAM projects and claims service-availability validation outside the narrow billing/pricing use case. Even if read-only, probing account/project metadata broadens the accessible cloud surface and may disclose organizational structure not needed for billing queries.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script queries SFS Turbo share types, which is outside the declared billing/pricing-only scope of the skill. Even though it is read-only, it expands the agent’s effective cloud reconnaissance surface and can disclose infrastructure-related service capabilities that a user of a billing skill would not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Enumerating SFS Turbo share types provides service configuration intelligence unrelated to billing support, creating an unnecessary information-disclosure capability. In the context of an over-privileged or misrouted agent, this can aid environment mapping and weaken the principle of least privilege.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger set contains broad billing/cost terms that can match many ordinary requests, increasing the chance this skill is auto-selected even when the user did not intend to run credential-backed cloud queries. Because the skill can execute local scripts, install dependencies, and contact Huawei APIs, overbroad triggering amplifies the blast radius of mistaken invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic execution of environment preparation that may install dependencies, validate credentials, and contact IAM/service APIs without an explicit warning or user confirmation at the point of action. Even if intended for setup, automatic package installation and live credential use create supply-chain, privacy, and unintended network-access risks that exceed what many users would expect from a 'query' skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide advertises access to detailed financial and transaction data such as account balances, billing records, coupon changes, payment channels, and consumption details without any sensitivity, privacy, or least-privilege warning. In an agent context, this increases the risk of over-collection, accidental disclosure in chat outputs, or use by operators who do not recognize that the data may contain confidential financial and organizational information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically loads Huawei Cloud credentials and uses them to query potentially sensitive billing and account change data over the network without any explicit user notice, confirmation, or scope disclosure. In an agent skill context, this can expose financial metadata such as transaction IDs, payment channels, account names, and spending history to a caller who may not realize cloud account access is occurring.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The script loads Huawei Cloud credentials and performs a live billing API request, but it provides no explicit user-facing notice that cloud account data will be accessed remotely. In an agent skill context, this can cause unintended disclosure of sensitive financial metadata or surprise network access if invoked without clear consent, even though the operation is read-only.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script retrieves and prints detailed customer order information including customer IDs, order IDs, pricing, payment times, and contract IDs directly to stdout without masking, minimization, or any access-control checks in the script itself. In an agent/skill context, stdout is often surfaced back to the requester or logged by orchestration layers, which can expose sensitive business and account data to unintended viewers.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically loads cloud credentials and immediately performs a remote Huawei Cloud BSS API call to retrieve sensitive billing and account-balance data, but it provides no explicit user disclosure, confirmation, or guardrail before doing so. In an agent/skill context, this can surprise users, expose financial metadata, and normalize silent access to privileged cloud account information even though the operation is read-only.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads and executes get-pip.py from the network, while SSL certificate verification has been globally disabled earlier in the file. This creates a severe supply-chain path to arbitrary code execution via man-in-the-middle, mirror compromise, or malicious content substitution, all without explicit user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically invokes sudo-based package manager commands to modify the host system without a confirmation gate. In the context of a read-only cloud billing skill, this is unjustified privilege use and can alter the host environment or install untrusted packages unexpectedly.

Unbounded Resource Access

Medium
Category
Excessive Agency
Content
# ── 工具函数 ──────────────────────────────────────────────────────────

def run_cmd(cmd, timeout=None, **kwargs):
    """运行命令,返回 (returncode, stdout, stderr)

    Args:
Confidence
76% confidence
Finding
timeout=None

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/ensure_env.py:284