Back to skill

Security audit

Huawei Cloud CodeArts Code Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a real CodeArts integration, but it asks for cloud credentials, changes persistent local permissions, and runs remote installer code in ways that deserve careful review before installation.

Install only if you explicitly want all coding tasks routed through Huawei CodeArts and are comfortable giving it Huawei Cloud AK/SK credentials. Prefer temporary, least-privilege credentials, avoid saving secrets to shell startup files or user environment variables, review the downloaded installer source, and inspect the generated permission file before allowing broad local read/write or web capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell scripts and external CLIs but declares no explicit permissions, which obscures its true capabilities from users and policy controls. That lack of declaration increases the chance of unexpected command execution, filesystem modification, and network activity occurring without appropriate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill is presented as a code-generation entry point, but its actual behavior includes downloading/installing software, persisting credentials in shell config, modifying permission files, and performing external connectivity/authentication steps. This mismatch can mislead the agent or user into authorizing sensitive actions they would not expect from a simple code-generation skill.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script tells users it is restricting access to a workspace, but even in restricted mode it still grants broad capabilities outside that scope, including websearch, external_directory_read on '*', and several global command allowances. This violates least privilege and can mislead users into approving a configuration that is materially broader than described.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
A script presented as needed for code generation also enables unrelated capabilities such as browser/web access and external directory read permissions. In a mandatory code-generation skill context, this broadens the agent's reach beyond what users would reasonably expect, increasing the risk of data access or network use unrelated to the requested task.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script advertises itself as safely configuring file write permissions, but it writes a much broader permission policy that enables websearch, external_directory_read, and multiple shell command patterns. This is dangerous because users or invoking agents may consent under a narrower understanding, while the resulting policy materially expands data access and operational capability beyond code generation needs.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a mandatory code-generation entry point, but this file modifies persistent local CLI permissions instead of generating code. In the context of a mandatory routing skill, that mismatch is especially dangerous because it can coerce broad privilege changes as a prerequisite to ordinary coding tasks, increasing the blast radius across future sessions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script tells users their AK/SK will remain only in the local AI Shell environment, but its save path persists them as user-level environment variables via SetEnvironmentVariable(..., "User"). That mismatch can cause users to disclose long-lived cloud credentials under false assumptions, increasing exposure to other local processes, future sessions, or other users with access to the profile.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The error JSON offers an option to "Write code directly" even though the skill metadata mandates routing all code generation through this skill. In an agentic system, contradictory control-flow guidance can be exploited to bypass intended security, auditing, or policy gates enforced by the CodeArts path.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The JSON help text tells users that AK/SK are stored only in local environment variables and not persisted, but the script can persist them to ~/.bashrc via --save-aksk and even advertises that save command. This is a security-relevant deception because users may disclose long-lived cloud credentials under false assumptions, increasing the chance of credential theft from shell startup files, backups, or other local processes.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are so broad that almost any request involving code, files, modules, or features will activate this skill. In context, that means routine development requests are funneled into a workflow that can install software, request credentials, and call external services, greatly expanding exposure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The mandatory invocation rules provide expansive examples and 'no exceptions' language without defining safe boundaries for when the skill should not run. This ambiguity encourages over-activation and can pressure the agent to perform risky setup and credential flows unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Save-AkskConfig writes sensitive AK/SK values to persistent user environment variables without an explicit consent prompt at the moment of storage. Persisting cloud credentials this way broadens their lifetime and accessibility, especially in a shared or monitored host, and may surprise users who intended temporary use only.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stores Huawei Cloud access credentials in plaintext in ~/.bashrc, a broadly readable and commonly backed-up shell initialization file, without a clear user-facing warning about persistence and exposure risks. In a mandatory code-generation skill that asks for cloud AK/SK, this is especially dangerous because it normalizes long-term secret storage in an insecure location.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to collect Huawei cloud AK/SK credentials and store them in plaintext in ~/.bashrc. Plaintext persistence of cloud secrets materially increases the risk of credential theft, unintended reuse, shell-history exposure, lateral movement, and compromise of the user's cloud resources.

Ssd 3

High
Confidence
98% confidence
Finding
The example workflow directs the user to enter secrets and then passes them as command-line arguments to a setup command. Secrets supplied on the command line can be exposed via process listings, shell history, logs, and debugging output, making compromise easier than even environment-variable storage alone.

Session Persistence

Medium
Category
Rogue Agent
Content
1. **Do not offer alternatives prematurely**:
   On `need_input` (AK/SK required) or `need_consent` (permission authorization required),
   directly request the needed input or consent from the user.
   Do NOT offer alternatives like "or I can just write the code directly".

2. **Only offer alternatives after repeated errors**:
   Only after encountering `error` status (exit code 30/40/50) AND retrying multiple times
Confidence
81% confidence
Finding
write the code directly". 2. **Only offer alternatives after repeated errors**: Only after encountering `error` status (exit code 30/40/50) AND retrying multiple times without success may the a

External Script Fetching

High
Category
Supply Chain
Content
case "$OS" in
        Linux|macOS)
            if ! command -v curl >/dev/null 2>&1 && ! command -v wget >/dev/null 2>&1; then
                output_error 30 "dependency_missing" \
                    "curl or wget is required to download the install script" \
                    "Install curl: apt install curl or yum install curl"
Confidence
99% confidence
Finding
curl >/dev/null 2>&1 && ! command -v wget >/dev/null 2>&1; then output_error 30 "dependency_missing" \ "curl or wget is required to download the install script" \

External Script Fetching

High
Category
Supply Chain
Content
case "$OS" in
        Linux|macOS)
            if ! command -v curl >/dev/null 2>&1 && ! command -v wget >/dev/null 2>&1; then
                output_error 30 "dependency_missing" \
                    "curl or wget is required to download the install script" \
                    "Install curl: apt install curl or yum install curl"
Confidence
99% confidence
Finding
wget >/dev/null 2>&1; then output_error 30 "dependency_missing" \ "curl or wget is required to download the install script" \ "Install curl: apt

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.