Back to skill

Security audit

huawei-cloud-flexus-l-deploy-jiuwenswarm

Security checks across malware telemetry and agentic risk

Overview

This skill matches its cloud deployment purpose, but it needs Review because it can create paid cloud resources and run root remote scripts while mishandling secrets and relying on weak confirmation and verification controls.

Install only if you intend to let the skill create or modify Huawei Cloud resources and run root commands on the target instance. Use temporary, least-privilege Huawei credentials, confirm the exact target instance and expected charges, avoid production hosts, rotate any model or channel secrets after testing, and do not share COC logs or result JSON files because they may contain sensitive values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (46)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes capabilities to read/write files, access environment variables, invoke shell/Python scripts, and call external cloud/network APIs, yet it declares no explicit permissions. This weakens policy enforcement and user awareness, making high-impact operations like cloud resource creation and remote deployment easier to trigger without transparent capability gating.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill first says Huawei Cloud credentials must never be collected interactively, but later phases instruct interactive collection of other sensitive secrets such as model API keys and channel app secrets. Contradictory secret-handling guidance increases the chance an agent will request, echo, or mishandle secrets in chat or logs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script adds the deadsnakes PPA to the host, permanently expanding the system's trusted package sources beyond the base distribution. In a one-click deployment skill that runs as root, this increases supply-chain and host integrity risk because future package installs or upgrades may rely on a third-party repository not explicitly approved by the operator.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This utility module provides generic primitives to create and execute arbitrary Huawei Cloud COC scripts on target instances, including running shell content as root. In a skill whose stated purpose is one-click deployment of JiuwenSwarm, this expands capability well beyond the declared scope and creates a dangerous remote-command-execution surface if any upstream input can influence script content, target instances, or execution parameters.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script reports successful 'deployment verification' when it only proves that a trivial shell script can execute remotely. This can create a false sense of security: operators may proceed assuming JiuwenSwarm is installed, healthy, and reachable when none of those properties were actually checked.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments and user-facing output explicitly claim JiuwenSwarm deployment verification, but the implementation only tests basic remote command execution. In an infrastructure automation skill that creates cloud instances and configures AI platforms, this mismatch is security-relevant because it can mask failed or incomplete deployments and cause unsafe downstream automation decisions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger examples are broad natural-language phrases like helping deploy or configure the platform, which could match ordinary conversations and invoke a skill that creates cloud resources and executes remote scripts. Because the skill performs costly and sensitive actions, accidental invocation raises real security and safety concerns.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description embeds many broad trigger keywords, including generic phrases around AI platform deployment and cloud server deployment. Overbroad triggers increase the chance the skill is selected outside the user's precise intent, which is risky given its ability to provision infrastructure and run remote deployment workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The specification explicitly documents a COC endpoint for remote script execution but provides no warning, scope limitation, approval requirement, or validation guidance. In a skill whose purpose is to automatically create cloud instances and deploy software, this increases the chance that automation will execute arbitrary or overly privileged scripts on provisioned systems without adequate user awareness or controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs opening SSH and application ports without any security guidance on source restriction, authentication hardening, or exposure risks. For an internet-facing AI platform deployment skill, this can lead to unnecessary public exposure of administrative access and the web UI, increasing the attack surface for brute force, scanning, and exploitation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication section tells users to place access key and secret key material in environment variables without any handling or storage warning. While environment variables are common, failing to mention secret-management practices can lead to credential leakage through logs, shell history, process inspection, shared environments, or accidental publication.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This document instructs users to grant permissions for remote script creation/execution and instance power operations, but it does not include an explicit warning that these capabilities can run arbitrary commands on cloud instances and disrupt running workloads. In the context of an agent skill that automates deployment, normalizing these permissions without clear impact disclosure increases the chance of over-privileged grants and unintended remote administration exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file documents instance-creation permissions and provides a full policy that includes hcss:instances:create without clearly warning users that this can provision billable cloud resources. In a one-click deployment skill, omission of cost and resource-creation warnings makes accidental or overly broad authorization more dangerous because the skill is designed to automate provisioning at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting guide instructs users to print cloud access key and secret key environment variables directly to the terminal. This can expose credentials in shell history, terminal scrollback, screen recordings, shared sessions, or support screenshots, increasing the risk of cloud account compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends viewing .env and config.yaml files with cat, which may display API keys, webhook secrets, and other sensitive configuration directly on screen. In a deployment/support context, these commands are likely to be copied into shared troubleshooting sessions, making inadvertent secret disclosure more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes a destructive instance deletion API example without an explicit warning or confirmation step. In an operational troubleshooting guide for cloud deployment, users may run copy-pasted commands hastily, which can lead to accidental deletion of production infrastructure and service outage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The generated remote script writes API/channel secrets into a root-owned config file and then explicitly changes the file mode to 644, making the secrets world-readable to any local user on the instance. In non-interactive mode this happens without a prominent warning or consent step, so automation can silently weaken secret confidentiality on production hosts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code creates and executes an arbitrary shell script on the target instance as root and is later used to stop/start the service, but non-interactive execution has no final confirmation gate. In a deployment skill that accepts command-line parameters and cloud instance targeting, accidental misuse or parameter tampering can trigger disruptive privileged changes remotely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the entire config object, including the API key, into model_config_result.json on disk without redaction or an explicit warning. This creates a plaintext secret exposure risk if the file is read by other local users, collected by support tooling, or accidentally committed or archived.

Missing User Warnings

High
Confidence
99% confidence
Finding
The remote shell script prints the full .env file after updating it, which will expose the API_KEY in command output and likely in Huawei Cloud COC job logs. Because this skill executes remotely through an operations platform, log access may be broader than direct host access, increasing the blast radius of secret disclosure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script remotely executes substantial system changes on a cloud instance, including package installation, Python/Node replacement, virtual environment creation, and writes to /etc/profile.d, yet the user-facing flow does not present a strong explicit warning or confirmation before making those host-level modifications. In an infrastructure-deployment skill, this increases the risk of accidental destructive changes to the wrong instance or an instance with existing workloads.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prints masked portions of both AK and SK to the console. Even partial secret exposure can leak identifying information into terminal logs, CI output, shell history captures, or support screenshots, which is unnecessary for a deployment helper handling cloud credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script executes a remotely created shell script as root on the target cloud instance without explicit user acknowledgement or confirmation. In this skill context, which automates instance creation and deployment on Huawei Cloud, silent privileged remote execution expands blast radius if the script content is modified, the target is incorrect, or the automation is reused in a broader workflow.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| --region | Region (cn-north-4 only) | cn-north-4 |
| --wait | Wait for creation completion | False |
| --timeout | Timeout in seconds | 600 |
| --confirm | Skip confirmation prompt | False |

### deploy_service.py
| Parameter | Description | Default Value |
Confidence
88% confidence
Finding
Skip confirmation

Credential Access

High
Category
Privilege Escalation
Content
- MODEL_NAME: Model name
   - MODEL_PROVIDER: Model provider
2. Generate configuration script (COC remote execution):
   - Backup original .env file
   - Update only four core parameters (API_BASE, API_KEY, MODEL_NAME, MODEL_PROVIDER)
   - Keep other configuration parameters unchanged
   - Set file permission to 600
Confidence
86% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.