Back to skill

Security audit

huawei-cloud-dws-io-diag

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent read-only DWS diagnostics tool, but it should be reviewed because it uses local cloud credentials and shell commands while producing reports that can include sensitive SQL and user activity.

Install only in an environment where the agent is allowed to use Huawei Cloud DWS read-only diagnostics credentials and where generated HTML reports may contain SQL text, usernames, query IDs, host/IP data, and workload patterns. Prefer least-privilege IAM, avoid passing AK/SK on command lines, protect the MCP config file, and do not store generated reports in shared or synced workspaces unless that content is approved for those readers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises a constrained tool interface but instructs the agent to execute local Python commands to read configuration and later write files to the workspace. This breaks the declared trust boundary and expands capabilities from approved MCP tools into arbitrary local execution and filesystem access, which can expose local secrets or alter the environment beyond the diagnosis task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill tells the agent to run inline Python against a local config file to obtain parameters. Even if the example command is narrow, permitting local Python execution for routine parameter resolution creates an arbitrary code execution pattern that can be repurposed to access other files or environment data on the host.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Forcing the agent to write an HTML report into the workspace exceeds the stated output schema of returning diagnosis strings and introduces unnecessary local side effects. While lower risk than command execution, unneeded file creation can overwrite files, leak sensitive report contents to shared storage, or be abused for persistence in multi-tenant environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs users to place plaintext AK/SK values into a YAML file and via CLI arguments before encryption occurs, without prominently warning that these values may be exposed through shell history, process listings, local files, backups, or version control. In an ops-focused MCP setup that enables cloud access, credential disclosure could allow unauthorized access to DWS-related APIs and monitoring data.

Ssd 3

Medium
Confidence
97% confidence
Finding
These examples instruct the skill to include specific SQL text, usernames, query IDs, and execution details in the final diagnosis output. In an operational support context, that can leak sensitive business logic, personal identifiers, internal schema details, and workload patterns to users who may not be authorized to see them.

Ssd 3

Medium
Confidence
99% confidence
Finding
This section goes beyond diagnosis and directs the model to echo detailed query text, usernames, collection times, query IDs, and aggregated per-user I/O contributions. In a DWS diagnostics skill, that materially increases the risk of sensitive data disclosure because the outputs may reveal customer SQL, tenant activity, internal operations, and user-level behavior patterns across the cluster.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Return Format**: Success `{"code": 0, "data": [...]}`; Failure `{"code": -1, "message": "error description"}`. On failure, retry once; if still failing, use degradation path and mark as "unavailable" in the report.

**Key Fields per Metric**:
- **IOStat**: ctime, host_id, disk_name, io_data{util, await, r_await, w_await, r_s, w_s, read_iops, write_iops, rMB_s, wMB_s, read_throughput, write_throughput, avgrq_sz, avgqu_sz} → core I/O metrics
- **CpuStat**: ctime, host_id, cpu_data{usr, sys, idle, iowait} → iowait > 30% indicates significant I/O pressure
- **cpu_io_diagnose_detail**: ctime, host_id, active_queries[{query, query_id, userName, cpu_rate, state, inst_name, duration_ms}], io_stats{read_iops, write_iops, read_throughput, write_throughput} → I/O diagnosis details + active queries
- **business_concurrency**: ctime, concurrency_value, active_connections → business concurrency
Confidence
85% confidence
Finding
rMB_s, wMB_s, read_throughput, write_throughput, avgrq_sz, avgqu_sz} → core I/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Yes → Enter three-stage determination

**Stage 1: Clear I/O Anomaly** — IOPS and throughput far below minimum specification?
- SSD: rMB/s+wMB_s << 900MB/s and r/s+w/s << 8000/s
- HDD: rMB/s+wMB_s << 250MB/s and r/s+w/s << 1000/s
- Yes → Confirmed **I/O Anomaly** (definite hardware issue)
Confidence
85% confidence
Finding
rMB/s+wMB_s << 900MB/s and r/s+w/s << 8000/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Stage 1: Clear I/O Anomaly** — IOPS and throughput far below minimum specification?
- SSD: rMB/s+wMB_s << 900MB/s and r/s+w/s << 8000/s
- HDD: rMB/s+wMB_s << 250MB/s and r/s+w/s << 1000/s
- Yes → Confirmed **I/O Anomaly** (definite hardware issue)

**Stage 2: Clear I/O Overload** — IOPS or throughput exceeds maximum specification?
Confidence
85% confidence
Finding
rMB/s+wMB_s << 250MB/s and r/s+w/s << 1000/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Yes → Confirmed **I/O Anomaly** (definite hardware issue)

**Stage 2: Clear I/O Overload** — IOPS or throughput exceeds maximum specification?
- SSD: rMB/s+wMB_s > 3500MB/s or r/s+w/s > 20000/s
- HDD: rMB/s+wMB_s > 800MB/s or r/s+w/s > 2000/s
- Yes → Confirmed **I/O Overload** (distinguish throughput overload/IOPS overload/dual overload)
  - Only throughput exceeds maximum → I/O throughput overload
Confidence
85% confidence
Finding
rMB/s+wMB_s > 3500MB/s or r/s+w/s > 20000/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Stage 2: Clear I/O Overload** — IOPS or throughput exceeds maximum specification?
- SSD: rMB/s+wMB_s > 3500MB/s or r/s+w/s > 20000/s
- HDD: rMB/s+wMB_s > 800MB/s or r/s+w/s > 2000/s
- Yes → Confirmed **I/O Overload** (distinguish throughput overload/IOPS overload/dual overload)
  - Only throughput exceeds maximum → I/O throughput overload
  - Only IOPS exceeds maximum → IOPS overload
Confidence
85% confidence
Finding
rMB/s+wMB_s > 800MB/s or r/s+w/s > 2000/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- **System disk I/O high** → pg_log logs / pg_audit audit logs / system-level tasks

**I/O Type Determination** (for overload scenario routing):
- wMB/s >> rMB/s → Write I/O dominant
- rMB/s >> wMB/s → Read I/O dominant

**Output**: io_scenario, io_type, phenomenon_distribution, is_gray_zone, gray_zone_result
Confidence
85% confidence
Finding
rMB/s → Write I/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**I/O Type Determination** (for overload scenario routing):
- wMB/s >> rMB/s → Write I/O dominant
- rMB/s >> wMB/s → Read I/O dominant

**Output**: io_scenario, io_type, phenomenon_distribution, is_gray_zone, gray_zone_result
Confidence
85% confidence
Finding
rMB/s >> wMB/s → Read I/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Metric | Meaning | Threshold Judgment |
|--------|---------|-------------------|
| r/s, w/s | Read/Write IOPS | SSD upper limit 8000-20000/s; HDD sequential I/O upper limit 1000-2000/s, HDD random I/O upper limit 300-600/s (per RAID group) |
| rMB/s, wMB/s | Read/Write throughput | SSD upper limit 900-3500MB/s; HDD sequential I/O upper limit 250-800MB/s, HDD random I/O upper limit 130-240MB/s (per RAID group) |
| r_await, w_await | Average response time (ms) | Persistently > 100 indicates I/O bottleneck (occasional spikes are normal) |
| avgrq-sz | Average request size (KB) | Normal ~200; < 30 with high IOPS → highly suspect fragmented I/O |
| avgqu-sz | Average I/O queue depth | Persistently > 100 indicates severe I/O queue backlog, combined with await to judge I/O bottleneck |
Confidence
26% confidence
Finding
rMB/s, wMB/s | Read/Write throughput | SSD upper limit 900-3500MB/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Scenario | Features |
|----------|----------|
| **I/O Throughput Overload** | rMB/s+wMB/s reaching RAID group upper limit + util persistently 99%/100% + await persistently > 100 |
| **IOPS Overload** | r/s+w/s reaching RAID group upper limit + util persistently 99%/100% + await persistently > 100 |
| **I/O Anomaly** | IOPS and throughput far below minimum specification + await persistently > 100 + avgqu-sz persistently > 100 + util persistently 99%/100% |
Confidence
26% confidence
Finding
rMB/s+wMB/s reaching RAID group upper limit + util persistently 99%/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Metric | Key Fields |
|--------|------------|
| IOStat | ctime, host_id, disk_name, io_data{util, await, r_await, w_await, r_s, w_s, read_iops, write_iops, rMB_s, wMB_s, read_throughput, write_throughput, avgrq_sz, avgqu_sz} → core I/O metrics |
| CpuStat | ctime, host_id, cpu_data{usr, sys, idle, iowait} → iowait > 30% indicates significant I/O pressure |
| cpu_io_diagnose_detail | Flat row structure: ctime, host_id, inst_name, username, cpu_rate, count, datname, io_read, io_write, query_id, query, duration_ms, state. Also contains io_stats: read_iops, write_iops, read_throughput, write_throughput |
| business_concurrency | ctime, concurrency_value, active_connections |
Confidence
26% confidence
Finding
rMB_s, wMB_s, read_throughput, write_throughput, avgrq_sz, avgqu_sz} → core I/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Metric | Meaning | Threshold Judgment |
|--------|---------|-------------------|
| r/s, w/s | Read/Write IOPS | SSD upper limit 8000-20000/s; HDD sequential I/O upper limit 1000-2000/s, HDD random I/O upper limit 300-600/s (per RAID group) |
| rMB/s, wMB/s | Read/Write throughput | SSD upper limit 900-3500MB/s; HDD sequential I/O upper limit 250-800MB/s, HDD random I/O upper limit 130-240MB/s (per RAID group) |
| r_await, w_await | Average response time (ms) | Persistently > 100 indicates I/O bottleneck (occasional spikes are normal) |
| avgrq-sz | Average request size (KB) | Normal ~200; < 30 with high IOPS → highly suspect fragmented I/O |
| avgqu-sz | Average I/O queue depth | Persistently > 100 indicates severe I/O queue backlog, combined with await to judge I/O bottleneck |
Confidence
26% confidence
Finding
rMB/s, wMB/s | Read/Write throughput | SSD upper limit 900-3500MB/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Scenario | Features |
|----------|----------|
| **I/O Throughput Overload** | rMB/s+wMB/s reaching RAID group upper limit + util persistently 99%/100% + await persistently > 100 |
| **IOPS Overload** | r/s+w/s reaching RAID group upper limit + util persistently 99%/100% + await persistently > 100 |
| **I/O Anomaly** | IOPS and throughput far below minimum specification + await persistently > 100 + avgqu-sz persistently > 100 + util persistently 99%/100% |
Confidence
26% confidence
Finding
rMB/s+wMB/s reaching RAID group upper limit + util persistently 99%/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.