Back to skill

Security audit

huawei-cloud-flexus-l-server-manage

Security checks across malware telemetry and agentic risk

Overview

This skill is for legitimate Huawei Cloud server management, but it can make paid account changes and disables TLS verification for authenticated cloud API calls.

Install only if you are comfortable giving the skill Huawei Cloud credentials and billing permissions. Use temporary least-privilege AK/SK credentials, run dry-runs first, verify the exact region/resource IDs and any included add-on resources, avoid broad admin policies when possible, and do not use this version on untrusted networks unless TLS verification is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs execution of Python scripts, use of environment variables for cloud credentials, and outbound access to Huawei Cloud APIs, yet no explicit permissions are declared. This creates a governance gap where a high-impact skill can access shell, network, and secrets without transparent capability scoping, increasing the chance of unintended execution or over-privileged deployment.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The create flow silently attaches and purchases extra resources (EVS, CBR, HSS) beyond the primary instance, which expands cost and resource footprint beyond the manifest's lifecycle description. In an agent-skill context, hidden add-on purchases are dangerous because callers may believe they are only provisioning a lightweight server while the function creates additional billable services.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The metadata description includes broad trigger phrases such as purchase server, renew, and unsubscribe, which are generic enough to match unrelated conversations. Over-broad activation can cause the agent to invoke a destructive cloud-management skill in the wrong context, especially because the skill supports billing-affecting and unsubscribe operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger rules list multiple ambiguous phrases like Huawei Cloud renewal, purchase Huawei Cloud server, and cancel subscription flexus without strong scope constraints or identity/resource validation. Because this skill can create, renew, and unsubscribe paid resources, ambiguous activation raises the risk of accidental invocation and follow-on harmful actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to grant billing-related permissions such as order payment and refund application, but it does not explicitly warn that these permissions can trigger real financial transactions or account changes. In the context of a server lifecycle skill that can create, renew, and unsubscribe paid resources, omitting a clear financial-impact warning increases the risk of users over-granting access and unintentionally authorizing charges or refunds.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The callable creation function can perform a billable provisioning action directly, with auto_pay and auto_renew enabled by default, and without any built-in confirmation requirement. In a skill/agent setting, exposing a reusable function that can trigger cloud purchases without a mandatory confirmation barrier increases the risk of unintended spend or abuse by higher-level orchestration.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The renewal function can trigger paid subscription changes directly and defaults auto_pay to true, but it has no built-in confirmation or disclosure at the function boundary. In this skill context, callable paid operations are more dangerous because an upstream agent could invoke them non-interactively and incur costs.

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

Known Vulnerable Dependency: pyasn1 — 2 advisory(ies): CVE-2026-23490 (pyasn1 has a DoS vulnerability in decoder); CVE-2026-30922 (Denial of Service in pyasn1 via Unbounded Recursion)

High
Category
Supply Chain
Confidence
83% confidence
Finding
pyasn1

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
pyyaml

Unsafe Defaults

Medium
Category
Tool Misuse
Content
full_url,
            headers=signed_request.header_params,
            data=signed_request.body,
            verify=False,
            timeout=60
        )
Confidence
98% confidence
Finding
verify=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/flexus_lifecycle.py:466