Back to skill

Security audit

huawei-cloud-ecs-passwordless-login

Security checks across malware telemetry and agentic risk

Overview

The skill openly automates cloud server SSH access, but it keeps privileged access alive after the advertised cleanup and makes broad SSH and cloud-account changes.

Install only if you intentionally want an agent to create root SSH access to Huawei Cloud ECS instances. Use a dedicated project/account, verify the target host and SSH host key yourself, avoid long-lived AK/SK credentials on shared machines, prefer non-root access where possible, and manually verify removal of the remote key, COC script, SSH config entry, ControlMaster socket/process, and any broad IAM agency permissions after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (20)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises temporary passwordless access with cleanup, but explicitly preserves privileged SSH access after key deletion via ControlMaster. That creates covert session persistence while presenting a misleading security narrative, which is dangerous because users may believe access has been revoked when it has not.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow persistently modifies ~/.ssh/config even though the stated goal is temporary passwordless login. Leaving durable local configuration behind increases attack surface, may redirect future SSH behavior, and is inconsistent with the claimed cleanup model.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The cleanup section claims security remediation while simultaneously documenting that access remains available afterward through multiplexing. This is deceptive and dangerous because it undermines the meaning of key removal and can leave operators unaware that privileged access persists.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill disables StrictHostKeyChecking and directs use of /dev/null for known_hosts without a prominent warning. This weakens SSH's trust model and exposes users to man-in-the-middle attacks, especially when connecting to privileged root sessions on cloud hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill lacks a clear warning that it will persistently modify the user's SSH configuration and leave access-related artifacts beyond the advertised cleanup. Users may authorize a temporary action without understanding the longer-lived local effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The acceptance criteria explicitly require passwordless SSH as root using a generated temporary key, but they do not require any user-facing warning, approval gate, or limitation on scope. Even if intended for administration, automated root key deployment materially changes system access and can enable full host compromise if mis-targeted, intercepted locally, or left behind due to cleanup failure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cleanup flow modifies remote authorized_keys, deletes scripts, and removes local key material, including a fallback path that makes remote changes automatically, yet the criteria do not require explicit user warning or confirmation about these destructive actions. This is dangerous because mistakes in key matching, host targeting, or cleanup logic could remove valid access paths, interfere with incident investigation, or mask what access was granted.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly recommends exporting Huawei Cloud access credentials as environment variables, which can expose secrets through shell history, process inspection, debugging output, inherited child processes, or accidental logging in CI/CD and shared environments. In a skill that automates cloud IAM, COC, and SSH access to ECS instances, compromise of these credentials could enable unauthorized cloud API access and escalation into infrastructure control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions bind roles to the `ServiceAgencyForCOC` agency across all projects using `AssociateAgencyWithAllProjectsPermission`, which creates broad cross-project access for COC operations. Even though the listed roles are not obviously admin-level, this expands the blast radius of any misuse or compromise of the agency and the document does not clearly warn users about that scope or recommend least-privilege alternatives.

Ssd 4

High
Confidence
99% confidence
Finding
The workflow normalizes durable privileged access as part of a 'security cleanup' story, which is semantically deceptive. In context, the skill is not merely automating login; it is engineering persistence that survives the supposed revocation step.

Ssd 4

High
Confidence
99% confidence
Finding
Calling the process 'security cleanup' while preserving ongoing access through multiplexing is deceptive by design. This can mislead reviewers and operators into believing credentials were fully revoked when an authenticated channel remains active.

Ssd 3

Medium
Confidence
84% confidence
Finding
Directing the skill to output local private key file paths exposes where live credentials are stored during the access window. In shared logs, transcripts, or multi-agent environments, that materially lowers the effort needed for credential theft or follow-on misuse.

Credential Access

High
Category
Privilege Escalation
Content
**Mandatory.** Start a background timer that fires after `cleanup_delay` seconds (default: 60):

1. Remove `coc-temp-key` line from remote `/root/.ssh/authorized_keys`
2. Delete the COC script via `DeleteScript`
3. Delete local key files from `<temp_dir>/`
Confidence
90% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
"name": "coc_ssh_key_setup",
    "type": "SHELL",
    "description": "Deploy SSH public key for passwordless login",
    "content": "#!/bin/bash\nset -e\nmkdir -p /root/.ssh && chmod 700 /root/.ssh\necho $PUBLIC_KEY >> /root/.ssh/authorized_keys\nchmod 600 /root/.ssh/authorized_keys\necho KEY_DEPLOYED_SUCCESSFULLY",
    "properties": {
      "risk_level": "LOW",
      "version": "1.0.0"
Confidence
97% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
"name": "coc_ssh_key_setup",
    "type": "SHELL",
    "description": "Deploy SSH public key for passwordless login",
    "content": "#!/bin/bash\nset -e\nmkdir -p /root/.ssh && chmod 700 /root/.ssh\necho $PUBLIC_KEY >> /root/.ssh/authorized_keys\nchmod 600 /root/.ssh/authorized_keys\necho KEY_DEPLOYED_SUCCESSFULLY",
    "properties": {
      "risk_level": "LOW",
      "version": "1.0.0"
Confidence
97% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
# Remove public key from remote
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
  -o ConnectTimeout=5 -i <temp_dir>/coc_ssh_key root@<EIP> \
  "sed -i \"/coc-temp-key/d\" /root/.ssh/authorized_keys" 2>/dev/null || true
# Delete COC script
<hcloud> COC DeleteScript --script_uuid="<script_uuid>" 2>/dev/null || true
# Delete local keys
Confidence
86% confidence
Finding
/.ssh/authorized_keys

Session Persistence

Medium
Category
Rogue Agent
Content
ssh -N -f <EIP> -i <temp_dir>/coc_ssh_key && echo "MASTER_CONNECTED"
ssh <EIP> "echo SSH_MUX_OK"  # verify multiplexing works

# 7. Security cleanup (background, survives parent shell exit via nohup + disown)
nohup bash -c '
sleep <cleanup_delay>
# Remove public key from remote
Confidence
88% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
ssh <EIP> "echo SSH_MUX_OK"  # verify multiplexing works

# 7. Security cleanup (background, survives parent shell exit via nohup + disown)
nohup bash -c '
sleep <cleanup_delay>
# Remove public key from remote
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
Confidence
88% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
- The COC script is created via `--cli-jsonInput` with a JSON file, not inline `--content="..."` — inline quoting causes parsing errors with shell special characters in the script body
- The COC script is **parameterized** with `PUBLIC_KEY` — it persists across invocations and can deploy different keys
- If the COC script already exists from a previous run, it is **reused** rather than recreated
- The cleanup uses `nohup bash -c '...' &` + `disown` to survive parent shell exit; output is logged to `<temp_dir>/coc_cleanup.log` for verification. The old `(sleep N && ...) &` pattern loses stdout when the parent shell exits in non-interactive mode
- Private keys are stored in `<temp_dir>` and should never be committed to VCS
- The `sed` cleanup target `coc-temp-key` matches the key comment set during `ssh-keygen`
- After cleanup, use `ssh <EIP>` (no key file needed) — ControlMaster socket handles authentication
Confidence
85% confidence
Finding
nohup

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
"name": "coc_ssh_key_setup",
    "type": "SHELL",
    "description": "Deploy SSH public key for passwordless login",
    "content": "#!/bin/bash\nset -e\nmkdir -p /root/.ssh && chmod 700 /root/.ssh\necho $PUBLIC_KEY >> /root/.ssh/authorized_keys\nchmod 600 /root/.ssh/authorized_keys\necho KEY_DEPLOYED_SUCCESSFULLY",
    "properties": {
      "risk_level": "LOW",
      "version": "1.0.0"
Confidence
98% confidence
Finding
echo $PUBLIC_KEY >> /root/.ssh/authorized_keys\nchmod 600 /root/.ssh/authorized_keys

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.