Back to skill

Security audit

huawei-cloud-monitoring-query

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be read-only for Huawei Cloud queries, but its setup and TLS choices create meaningful review risk around credentials and dependency installation.

Install only if you are comfortable giving the skill Huawei Cloud credentials and allowing it to create a local virtual environment and install packages. Prefer temporary, least-privilege AK/SK credentials, avoid running it on sensitive networks until TLS verification is fixed, and review or pin dependencies before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell commands, uses environment credentials, and performs network access, yet no permissions are explicitly declared. This weakens security boundaries and informed consent because a caller may expect a documentation-only or narrow query skill while it can execute bootstrap scripts, install dependencies, and access cloud APIs with supplied credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest presents a read-only Huawei Cloud monitoring/EPS query skill, but the instructions require environment bootstrapping, package installation, possible internet downloads, OS-level package manager use, and IAM interactions beyond the declared scope. This mismatch is dangerous because users may authorize or invoke the skill under false assumptions while it performs broader and more sensitive operations than advertised.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The body of the skill describes a generic cloud inventory tool for specs, images, disks, and existing resources, which materially exceeds the stated monitoring and enterprise-project use case. This broader discovery capability can expose unrelated infrastructure metadata and increases the blast radius if the skill is invoked with cloud credentials.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The capability list expands into general resource discovery and dependency mapping rather than the specific alarm, dashboard, and enterprise-project queries promised by the manifest. That discrepancy can lead to unintended access to broader cloud metadata and undermines trust in the skill’s declared purpose.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The title 'Huawei Cloud Resource Query' signals a broad resource-query capability that conflicts with the manifest’s narrower monitoring/EPS identity. While partly a documentation issue, such labeling inconsistencies can mislead routing, review, and user expectations, making broader behavior less likely to be scrutinized.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
For a skill advertised as a read-only Huawei monitoring/EPS query tool, automatically creating virtual environments and re-executing the script expands behavior beyond the declared scope. This matters because users may run the skill expecting only cloud reads, while it silently modifies the local system state and execution environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script installs Python dependencies and supports upgrade behavior even though the skill is described as a query-only integration. This discrepancy increases supply-chain and operational risk because running the skill can alter the host environment in ways unrelated to the user's expected cloud-read action.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Invoking pip and OS package managers from within a monitoring-query skill is risky because it executes privileged or semi-privileged system changes not necessary for the skill's business purpose. In skill ecosystems, this broadens the trust boundary and can be abused for supply-chain compromise or unexpected host modification.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script downloads get-pip.py from the network and executes it locally, which is a classic remote code execution and supply-chain risk. In the context of a read-only cloud query skill, this is especially dangerous because users would not expect execution of remotely retrieved bootstrap code on their machine.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Overly broad triggers like generic 'alarm', 'monitoring', and 'alert' increase the chance of accidental invocation in contexts unrelated to Huawei Cloud CES/EPS. Because this skill can execute scripts, access environment credentials, and make network calls, unintended activation raises the risk of unnecessary cloud metadata exposure or setup side effects.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code explicitly disables TLS certificate verification by setting `http_config.ignore_ssl_verification = True` and suppresses the related warning globally via `urllib3.disable_warnings(...)`. This allows man-in-the-middle interception of Huawei Cloud API traffic, exposing AK/SK credentials, security tokens, and queried monitoring or enterprise project data to interception or tampering, especially when proxies are supported via environment variables.

Missing User Warnings

High
Confidence
100% confidence
Finding
The script globally disables HTTPS certificate verification by setting the default SSL context to an unverified one. This allows man-in-the-middle interception of all subsequent TLS connections made through affected libraries, including package downloads and cloud API traffic, undermining both credential confidentiality and response integrity.

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkces>=3.1.0
huaweicloudsdkeps>=3.1.0
Confidence
96% confidence
Finding
huaweicloudsdkcore>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkces>=3.1.0
huaweicloudsdkeps>=3.1.0
Confidence
96% confidence
Finding
huaweicloudsdkiam>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkces>=3.1.0
huaweicloudsdkeps>=3.1.0
Confidence
96% confidence
Finding
huaweicloudsdkces>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkces>=3.1.0
huaweicloudsdkeps>=3.1.0
Confidence
96% confidence
Finding
huaweicloudsdkeps>=3.1.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/ensure_env.py:284