Back to skill

Security audit

huawei-cloud-eip-cost-optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly an EIP reporting tool, but it is advertised as read-only while also documenting cloud mutation workflows and auto-installing a cron job.

Install only if you are comfortable reviewing and constraining it manually. Use read-only Huawei Cloud IAM permissions, avoid following the mutation examples, do not run --setup-cron until the cron command is inspected, and avoid passing untrusted webhook or email values to the script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (37)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 尝试自动添加
    try:
        import subprocess
        result = subprocess.run(
            f"(crontab -l 2>/dev/null; echo '{cron_command}') | crontab -",
            shell=True,
            capture_output=True,
Confidence
97% confidence
Finding
result = subprocess.run( f"(crontab -l 2>/dev/null; echo '{cron_command}') | crontab -", shell=True, capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares itself as read-only analysis but exposes capabilities that use environment variables, shell commands, and network access without an explicit permission declaration or capability boundary. This increases the chance that an agent or user will run higher-risk operations than expected, especially when combined with later sections that invoke external notifications and local system changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior materially exceeds the declared purpose: it installs cron jobs, sends webhook/SMTP traffic, and supports audit logging of operational actions despite claiming read-only analysis. This mismatch is dangerous because users and orchestrators may trust the manifest and authorize the skill in contexts where these side effects are not acceptable.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation states the skill does not adjust bandwidth, but command sections instruct users to run bandwidth modification scripts and recommend changing idle EIPs to 1 Mbps. This contradiction creates a direct path to unauthorized or unintended infrastructure changes.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation states the skill does not adjust bandwidth, but command sections instruct users to run bandwidth modification scripts and recommend changing idle EIPs to 1 Mbps. This contradiction creates a direct path to unauthorized or unintended infrastructure changes.

Description-Behavior Mismatch

Critical
Confidence
100% confidence
Finding
The manifest advertises 'read-only analysis only' while the body documents bandwidth adjustment and tag modification operations. A manifest-level deception or severe mismatch is especially dangerous because tooling may rely on top-level metadata to decide whether a skill is safe to invoke automatically.

Scope Creep

High
Confidence
97% confidence
Finding
The documented operations include update behaviors that are not covered by the declared read-only IAM permissions. This gap encourages overbroad privilege grants during troubleshooting and undermines least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Guidance about cleanup and release operations is inconsistent with a skill whose stated purpose is analysis only. Even when framed as recommendations, such guidance can steer users toward destructive actions based on a tool they believed was non-operational.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill is declared as read-only and explicitly excludes bandwidth adjustment, yet this document provides concrete code and guidance for modifying bandwidth. That creates scope drift: an agent or maintainer could use this documentation to implement or expose mutating operations that increase spend or alter network configuration, undermining the safety boundary promised by the manifest.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation covers operational behavior outside the stated read-only cost-optimizer scope, specifically how to call a bandwidth modification API. In a skill ecosystem, such contradictory guidance is dangerous because downstream agents may treat in-repo docs as authoritative and perform prohibited state-changing actions despite the declared constraints.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The reference guide includes multiple state-changing EIP operations such as create, delete, update bandwidth, associate/disassociate, and tag modification even though the skill is explicitly described as read-only analysis only. This creates a capability/instruction mismatch that can cause an agent or operator to perform destructive or cost-impacting actions under the false assumption that the skill is safe for non-mutating use.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation directly contradicts the manifest's stated prohibition on bandwidth adjustment, tag management, and EIP release/deletion by providing exact commands for those actions. In agent settings, contradictory embedded instructions are dangerous because they may be treated as authoritative operational guidance and lead to unauthorized configuration changes or cost/compliance issues.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The guide provides an irreversible EIP deletion command despite the skill claiming no release/deletion capability. Because deletion reclaims the public IP and cannot be undone, its presence in a supposedly read-only skill materially increases the risk of accidental or induced destructive action by an agent or human following the documentation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is explicitly described as read-only cost optimization, but this IAM reference includes create, delete, update, associate, and disassociate permissions for EIPs. That mismatch can cause operators to grant materially broader privileges than necessary, enabling destructive or cost-impacting actions if the skill, an agent, or a compromised workflow uses those permissions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that permissions follow least privilege while also presenting a full management policy that contradicts the stated read-only intent of the skill. This is dangerous because users may trust the least-privilege claim and authorize excessive access, creating an avoidable privilege-escalation path and increasing the blast radius of agent misuse or credential compromise.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide explicitly recommends a follow-on release workflow for idle EIPs, which contradicts the skill's stated read-only scope and exclusion of release/deletion operations. This can mislead operators into performing destructive actions under the authority of a supposedly non-destructive skill, increasing the chance of accidental service disruption or policy violations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The reference guide includes explicit instructions for mutating operations such as bandwidth modification and EIP deletion, which directly contradicts the skill's declared read-only scope. In an agent setting, this mismatch can cause downstream tooling or operators to invoke destructive cloud actions under the assumption that the skill is safe for analysis only.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The guide advertises a 'production-ready example' that supports destructive operations, reinforcing unsafe usage patterns inside a skill that claims to be read-only. This increases the likelihood that users or autonomous agents will trust and run code paths capable of modifying or deleting cloud resources without expecting that risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The session notes explicitly state that an idle EIP was successfully released, providing evidence that the skill material is not merely theoretical but has been used for destructive actions despite the read-only declaration. This undermines trust boundaries and may encourage operators or agents to perform resource deletion in contexts where only analysis was authorized.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The verification document is inconsistent with the declared skill scope: it describes an "EIP management skill" rather than a read-only cost-optimization skill, which signals scope drift in operational documentation. In security-sensitive automation, inaccurate verification guidance can cause reviewers or operators to validate capabilities outside the approved boundary and overlook later unsafe expansion.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document explicitly includes tag-management verification even though the manifest forbids tag management, creating a direct contradiction between approved behavior and documented validation steps. This is dangerous because operators may treat tag operations as sanctioned, enabling unauthorized metadata changes that can affect policy enforcement, billing attribution, automation targeting, or downstream access controls.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script claims to be analysis-only, but its generated recommendations tell operators to perform bandwidth adjustment and tag-management actions that are explicitly out of scope for the skill. This mismatch can mislead downstream users or agents into taking operational actions based on a tool that was supposed to remain read-only, increasing the risk of policy violations or unintended infrastructure changes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The optimization guidance includes concrete instructions to adjust bandwidth and manage tags even though the manifest explicitly forbids those areas. In an agent setting, operational guidance can be treated as an action plan, so this expands the effective scope of the skill beyond approved read-only analysis and may cause unauthorized or unsafe follow-on changes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The JSON report embeds out-of-scope recommendations for bandwidth adjustment and tag management, which makes the scope violation machine-consumable and easier for other automation to ingest. That increases the chance that downstream systems or copilots will operationalize these recommendations despite the skill being advertised as read-only.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can modify the user's crontab and execute shell commands even though its stated purpose is read-only EIP analysis and alerting. This violates least privilege and expands the blast radius from cloud inventory inspection to persistent local system modification.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.