Back to skill

Security audit

huawei-cloud-computing-query

Security checks across malware telemetry and agentic risk

Overview

This Huawei Cloud query skill mostly performs inventory lookups, but it also exposes server passwords and console URLs and weakens TLS protections while handling cloud credentials.

Review carefully before installing. Use only with least-privilege Huawei Cloud credentials, avoid running password or console URL scripts unless explicitly needed by an authorized administrator, and assume command output may be logged. The package should ideally remove or isolate credential-recovery features, redact sensitive outputs by default, and restore TLS certificate verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (36)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 用 venv Python 重新执行当前脚本
    print(f"  使用虚拟环境 Python: {venv_python}")
    os.execv(venv_python, [venv_python] + sys.argv)

def info(msg):
    print(f"  {msg}")
Confidence
85% confidence
Finding
os.execv(venv_python, [venv_python] + sys.argv)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes significant execution capabilities—shell, network, environment access, and file writes—without declaring permissions, which undermines transparency and consent. In this context, the skill explicitly runs local scripts, installs dependencies, accesses cloud credentials, and may write local environment/project files, so the missing declaration is a real security issue even if the functionality is operationally intended.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior claims a read-only query skill, but the described capabilities include sensitive secret retrieval (server passwords), remote console URL generation, and environment setup actions that create virtual environments, install packages, and write files. This mismatch is dangerous because users and policy systems may trust the skill as low risk while it can expose privileged access paths and modify the local environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide documents `show_server_password.py`, which exposes server passwords in a skill described as query-only cloud resource inspection. Even if the underlying API supports it, surfacing credential retrieval materially expands the skill from inventory lookup into access-secret disclosure, creating clear risk of account or instance compromise if misused.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Advertising password retrieval is unjustified in the context of a read-only resource-query skill because it enables access to authentication material rather than ordinary metadata. This increases the likelihood that operators or downstream agents will treat sensitive credential extraction as a normal supported action, leading to privilege abuse or unauthorized login.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script retrieves and prints a BMS remote console login URL, which is effectively an access-enabling artifact rather than ordinary read-only metadata. Even if no direct state-changing API is called, exposing a live console URL expands access to interactive server control and contradicts the stated 'query-only' skill scope, increasing the chance of credential misuse, session hijacking, or unauthorized console access via logs or downstream tooling.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script goes beyond passive resource inspection and retrieves a Windows bare metal server password, which is a highly sensitive credential. In a skill advertised as query-only cloud inventory browsing, adding credential-retrieval capability materially increases abuse potential by enabling direct host access rather than merely viewing metadata.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code exposes a server password in cleartext output, turning the skill into a credential disclosure mechanism. This is especially dangerous because stdout is often logged, captured by orchestration layers, or shown to downstream users who may not be authorized to receive raw administrative credentials.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code globally disables InsecureRequestWarning and later configures HTTP clients to ignore TLS certificate verification. This makes Huawei Cloud API traffic vulnerable to man-in-the-middle interception, allowing an attacker on the network or a malicious proxy to observe or tamper with responses while AK/SK credentials or security tokens are in use. In a cloud-query skill, this is especially dangerous because it handles privileged credentials even if operations are read-only.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script retrieves an ECS server password and prints it directly, which is a direct secret disclosure capability rather than ordinary infrastructure metadata querying. In the context of a skill advertised as read-only cloud resource inspection, exposing instance credentials materially increases the risk of unauthorized access and credential leakage through logs, terminals, transcripts, or downstream tooling.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code invokes the cloud API to obtain a server password and then exposes that secret to the caller without any strong justification tied to the stated purpose of listing or inspecting compute resources. A plaintext password can enable direct compromise of the ECS instance, and disclosure via stdout makes accidental exfiltration especially likely in shared shells, CI logs, chat-agent transcripts, or monitoring systems.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script globally disables TLS certificate verification via ssl._create_default_https_context = ssl._create_unverified_context, weakening every subsequent HTTPS request in the process. In a credential-handling environment script, this enables man-in-the-middle interception or tampering of package downloads and cloud API traffic, which is especially dangerous because the skill claims read-only cloud-query behavior yet handles AK/SK secrets and bootstraps software.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs local package-management and environment-mutation actions such as installing Python and dependencies, which exceed the declared scope of a read-only Huawei Cloud query skill. This increases the attack surface and can surprise users by making privileged or persistent local changes unrelated to querying cloud resources.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
After validation, the script mutates process environment state and writes a .project_id file to disk, which is local state modification inconsistent with a query-only skill description. Even though the value is not a secret, undisclosed persistent file writes and environment mutation can be abused in chained workflows and violate least surprise.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad triggers such as generic English terms like 'instance', 'image', 'flavor', and 'scaling' can cause accidental invocation in unrelated contexts. Because this skill performs shell execution, dependency installation, network calls, and credential-backed cloud queries, mistaken activation increases the chance of unintended sensitive operations and unnecessary exposure of cloud metadata.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide explicitly documents a capability to retrieve a Windows bare metal server's initial password, which is highly sensitive credential material. Even though this is a read-only cloud query skill, exposing or normalizing access to credential-retrieval operations without clear warnings, access constraints, or safe-handling guidance increases the risk of unauthorized credential disclosure and downstream host compromise.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The guide describes obtaining a VNC remote login address for a bare metal server, which facilitates interactive remote access to a live system. In a cloud administration context this can be legitimate, but presenting it without a warning about access sensitivity, authorization requirements, or secure handling can enable misuse or make operators underestimate the security impact of sharing the returned console URL.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide combines password retrieval with VNC/remote console login address retrieval and provides no warning that these outputs may expose credentials or direct privileged access paths. In a cloud environment, such details can materially lower the barrier to unauthorized instance access, especially when consumed by autonomous tooling or copied into logs and transcripts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Documenting retrieval of serial console login addresses without warning exposes privileged connection information that can aid direct administrative access or facilitate lateral movement. While an address alone is not always sufficient for compromise, treating console endpoints as ordinary metadata underplays their sensitivity and increases accidental disclosure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints the remote console URL directly to standard output with no sensitivity warning, masking, or handling restrictions. If stdout is captured by chat transcripts, terminal history, logs, CI systems, or observability pipelines, the URL may be exposed to unintended parties and could provide time-limited but meaningful interactive access to the target server.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the Windows bare metal server password directly to stdout creates an immediate secret leakage risk through terminal history, logs, CI systems, chat transcripts, and agent telemetry. The absence of masking, warning, or secure handling means a single invocation can permanently expose the credential to unintended parties.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Setting ignore_ssl_verification = True disables server certificate validation for all SDK requests created with this configuration. Because this skill authenticates to Huawei Cloud using access keys and optional security tokens, an attacker able to intercept traffic can impersonate endpoints, capture secrets, or manipulate returned cloud resource data without the user being warned.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the password directly to stdout causes immediate plaintext exposure to any process, user, or logging pipeline that can observe command output. Because agent skills often run in automated environments where outputs are captured and relayed, this behavior is especially dangerous and can turn a single query into credential compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints the remote console URL directly to stdout, and such URLs commonly act as bearer-style access links or contain session-specific tokens that grant immediate console access. If terminal output is captured in logs, shell history, CI systems, chat transcripts, or shared operator sessions, an unintended party could reuse the URL to access the instance console without additional user awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads and executes get-pip.py from remote URLs, and earlier code disables TLS verification globally, making the bootstrap path vulnerable to tampering. Executing remotely fetched Python with access to the user's environment and cloud credentials can lead to full arbitrary code execution and credential theft.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/ecs/show_server_password.py:46

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/ensure_env.py:284