Back to skill

Security audit

huawei-cloud-ecs-sqlbot-deploy

Security checks across malware telemetry and agentic risk

Overview

The skill does deploy SQLBot on Huawei Cloud as advertised, but it combines billable cloud provisioning with unsafe credential handling, default passwords, external notifications containing secrets, and remote root script execution.

Install only if you are comfortable granting Huawei Cloud credentials that can create billable infrastructure and run COC scripts. Use temporary least-privilege credentials, avoid pasting AK/SK into chat or command history, do not enable Feishu notifications for secrets, review the remote installer before execution, restrict port 8000 to trusted IPs, and change both the server and SQLBot passwords immediately after deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares broad operational capabilities in metadata and instructions—environment access, package installation, shell execution, network access, and file operations—without an explicit permissions declaration or minimization. This reduces transparency and makes it easier for a deployment skill to perform sensitive actions beyond what users may reasonably expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is Huawei Cloud SQLBot deployment, but the behavior described by the finding extends to unrelated or higher-risk actions such as automatic pip installs, Feishu notifications, IAM/project discovery, possible network provisioning, and exposing sensitive credentials/passwords in outputs. This mismatch is dangerous because users may authorize a narrowly scoped deployment action while the skill performs broader infrastructure and data-handling operations.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
Collecting or using a Feishu user ID for deployment notifications is outside the core Huawei Cloud SQLBot deployment purpose and introduces unnecessary data handling and external communication. Even if not directly malicious, this expands the skill's scope and can leak operational details to third-party channels.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation contains contradictory guidance: it says the skill 'NEVER' asks for AK/SK directly, yet nearby instructions tell the user to provide AK/SK when environment variables are absent. Contradictions around secret handling create unsafe operator behavior and increase the chance that users will paste credentials into chat or other insecure channels.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The acceptance criteria treat a known default credential (admin/SQLBot@123456) as valid for successful deployment while also asserting password-policy compliance. This normalizes insecure-by-default operation and can lead to deployments being accepted with credentials that are guessable, reused, or never rotated.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The deployment workflow sends highly sensitive secrets over Feishu notifications, including the initial server password and default SQLBot credentials. This expands secret exposure beyond the deployment host to an external messaging channel, increasing the chance of credential leakage, account compromise, and unauthorized access to the created cloud instance and application.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The code claims to restrict SQLBot access but actually allows the entire 192.168.0.0/16 private range, which may include many hosts unrelated to the intended operator. In enterprise or VPN-connected environments, this can expose the web service to a much broader internal population than expected, especially since SQLBot is later advertised with default credentials.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code automatically creates new VPC and subnet resources when none exist, which expands the skill’s effective behavior beyond simple instance purchase/deployment into network provisioning. In a cloud automation skill this is not inherently malicious, but it is risky because it can create unexpected billable infrastructure and alter account network topology without explicit user approval.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The utility sends Feishu notifications to an external user channel even though the skill is described primarily as cloud instance purchase and SQLBot deployment. In deployment tooling, undisclosed outbound messaging increases data-exposure risk because status messages can contain operational details, identifiers, or error output that leave the execution environment unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Executing an external messaging CLI expands the skill's effective capabilities from deployment into third-party communications. In this context, that is more dangerous because deployment workflows often handle sensitive metadata, and using an external tool can transmit user identifiers and deployment state outside the expected cloud-control path.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Directly asking users to provide cloud AK/SK credentials in conversation is a serious secret-handling flaw. Chat channels are often logged, persisted, or visible to multiple systems, so exposing cloud credentials can lead to account takeover, resource abuse, and further compromise of the user's cloud environment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill performs cost-incurring and infrastructure-changing operations—creating servers, security groups, and binding EIPs—without sufficiently prominent up-front warning in the high-level description. In this context, under-disclosure is dangerous because users may trigger real cloud purchases and network exposure without fully understanding the consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example commands pass AK/SK secrets directly on the command line, which can expose them through shell history, process listings, terminal logs, CI logs, and support screenshots. Even in documentation, this encourages unsafe operator behavior and increases the likelihood of credential leakage.

Missing User Warnings

High
Confidence
99% confidence
Finding
Requiring successful login with default credentials as part of acceptance testing effectively mandates an easily guessable account on an internet-reachable service. In the context of one-click cloud deployment, this can enable immediate unauthorized access if the service is exposed before credentials are changed.

Missing User Warnings

High
Confidence
98% confidence
Finding
The security criteria explicitly require port 8000 to allow all IPs, which broadens the attack surface for the deployed application and any administrative endpoints it exposes. Combined with the documented default login, this materially increases the likelihood of internet-wide compromise, scanning, and brute-force attacks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide instructs users to download and execute a remote shell installer via curl and bash without any integrity verification, signature check, pinning to a specific version, or warning about supply-chain risk. If the hosting location, DNS, transport path, or script content is compromised, users could execute arbitrary code on their systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code creates and executes a shell script on a remote ECS instance that downloads another script from a remote OBS URL and runs it as root. Even though remote deployment is the stated purpose of the skill, the lack of an explicit user-facing warning/confirmation before performing system-changing actions increases the risk of unintended destructive changes and of users not understanding that arbitrary code will be executed on their server.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code signs and sends requests to Huawei Cloud APIs using AK/SK credentials and includes instance identifiers and related metadata, but there is no explicit disclosure at the point of use that these sensitive inputs are being transmitted to cloud endpoints. In a deployment skill this behavior is expected, but failing to clearly disclose it can lead to unsafe operator assumptions and accidental credential exposure in higher-level workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script creates billable infrastructure and performs remote deployment actions without an explicit confirmation gate. In an agent or automation context, this increases the risk of unintended resource creation, unexpected cost, and remote execution on cloud assets if the command is triggered accidentally or with unreviewed parameters.

Missing User Warnings

High
Confidence
99% confidence
Finding
The progress notification includes the initial server password and sends it through an external notification channel without strong user disclosure or secure transport guarantees in this code. Exposing infrastructure credentials in status messages materially increases the risk of full host compromise if the recipient, channel, or logs are accessible by others.

Missing User Warnings

High
Confidence
99% confidence
Finding
The success notification sends both the instance password and default SQLBot application credentials over the notification channel. This creates a direct path to infrastructure and application compromise, especially because the service URL and login username are included alongside the secrets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When no subnet exists, the skill proceeds to create VPC and subnet resources automatically after only logging messages, without any explicit consent gate. In the context of a cloud deployment skill, silent provisioning is dangerous because it can create unexpected infrastructure, incur charges, and modify network boundaries in a privileged account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper creates security-group rules with a default remote_ip_prefix of 0.0.0.0/0, which opens services to the public internet unless callers override it. In a deployment tool that provisions internet-facing hosts, this default significantly increases exposure risk and can lead to brute-force attacks, service exploitation, or data exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
This path creates monthly-billed servers, auto-creates public IP resources, and enables auto-pay without an explicit confirmation barrier in the function itself. In a cloud skill using account credentials, this is dangerous because accidental or unauthorized invocation can trigger immediate spend and expose new internet-reachable infrastructure.

Missing User Warnings

High
Confidence
95% confidence
Finding
The pay-as-you-go path provisions compute and public IP resources directly, again without an explicit confirmation/control point at execution time. Given the skill context, this creates immediate financial and exposure risk if triggered unintentionally or by a confused deputy flow using valid credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/deploy_sqlbot.py:524

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/huawei_cloud_ecs.py:280