Back to skill

Security audit

huawei-cloud-storage-query

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for read-only Huawei Cloud storage inventory, but its setup and network security choices are risky enough to require review before installation.

Install only if you are comfortable letting it run local setup code, install Python packages, use Huawei AK/SK credentials from environment variables, and query IAM/account metadata. Avoid using high-privilege credentials, and treat the disabled TLS verification and get-pip fallback as issues the publisher should fix before use in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly instructs execution of local shell commands, reads credential-bearing environment variables, and performs networked cloud queries, yet no permissions are declared. This creates a transparency and consent gap: a caller may invoke what appears to be a harmless query skill without realizing it can execute code, access secrets, and make outbound authenticated requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior materially exceeds the stated 'read-only storage query' purpose by creating virtual environments, installing or upgrading dependencies, attempting system package installs, downloading bootstrap content, and performing IAM validation/discovery. That mismatch is dangerous because users may authorize a low-risk inventory skill while it performs side-effecting local changes and additional network activity with privileged cloud credentials.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation broadens scope beyond storage services to generic resource, image, and specification discovery, conflicting with the manifest's limited EVS/OBS/SFS/CBR description. Scope drift is risky because it can lead to overbroad data access and unexpected API usage beyond what a user or policy reviewer approved.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
A skill advertised as having 'No write operations' instructs users to run environment-check scripts that install dependencies and potentially alter the host environment. Even if cloud resources remain read-only, local system modification is still a write-side effect and changes the trust profile of the skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs a tenant/domain-level project enumeration (`list_domain_projects`) using supplied credentials, which goes beyond the skill’s declared storage-query scope of EVS/OBS/SFS/CBR resources. Even though it is read-only, domain project discovery exposes broader account structure and can facilitate reconnaissance across projects, increasing the blast radius of credential use beyond expected storage metadata.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script exposes a CBR tenant/domain lookup operation (`show_domain`) that returns project and domain identifiers/names, which goes beyond the skill manifest’s declared scope of backups, vaults, policies, tasks, agents, and protectables. Even though the operation is read-only, it can disclose tenant structure and identity metadata that may aid reconnaissance or enable cross-project information gathering if the caller supplies arbitrary `source_project_id` values.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs broad host-management actions such as installing Python and invoking system package managers (`apt`, `yum`, `dnf`, `brew`, `winget`) even though the skill is described as a read-only Huawei storage query tool. In this skill context, that scope expansion is risky because running the helper modifies the local machine and may require elevated privileges unrelated to querying cloud storage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script downloads `get-pip.py` from the network and executes it locally, which is a remote code execution pattern. This is especially unjustified for a storage-query skill because it fetches and runs bootstrap code outside the declared read-only cloud-query purpose, increasing supply-chain and host-compromise risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Credential validation is implemented by listing IAM users, which expands access from storage-resource querying into identity-account inspection. In a read-only storage skill, this broader API use violates least privilege and may disclose account structure or require permissions the user did not expect to grant.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill says invocation should immediately run local environment-check scripts that install dependencies and validate credentials, but it does not present this as a clear safety warning up front. Silent or implicit execution of setup scripts increases the chance of unreviewed code execution and unwanted host changes in environments that assumed a passive query tool.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill relies on sensitive Huawei credential environment variables and may automatically call IAM to discover project information, but the description does not clearly disclose that authenticated network requests will be made using those credentials. This can surprise users and may expose account metadata or broaden audit/logging footprints beyond expected storage queries.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code explicitly sets `http_config.ignore_ssl_verification = True` and globally suppresses `InsecureRequestWarning`, which disables TLS certificate validation for all outbound Huawei Cloud SDK requests. This makes the skill susceptible to man-in-the-middle interception via hostile networks or malicious proxy settings, exposing cloud credentials and sensitive storage metadata despite the skill being read-only.

Missing User Warnings

High
Confidence
98% confidence
Finding
The helper silently fetches and executes remote bootstrap code without a prominent warning or explicit confirmation. Users may believe they are only preparing a storage-query environment, while the script actually runs code obtained over the network, creating significant supply-chain and execution risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkevs>=3.1.0
huaweicloudsdksfsturbo>=3.1.0
Confidence
90% confidence
Finding
huaweicloudsdkcore>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkevs>=3.1.0
huaweicloudsdksfsturbo>=3.1.0
huaweicloudsdkobs>=3.1.0
Confidence
90% confidence
Finding
huaweicloudsdkiam>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkevs>=3.1.0
huaweicloudsdksfsturbo>=3.1.0
huaweicloudsdkobs>=3.1.0
huaweicloudsdkcbr>=3.1.0
Confidence
90% confidence
Finding
huaweicloudsdkevs>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkcore>=3.1.0
huaweicloudsdkiam>=3.1.0
huaweicloudsdkevs>=3.1.0
huaweicloudsdksfsturbo>=3.1.0
huaweicloudsdkobs>=3.1.0
huaweicloudsdkcbr>=3.1.0
Confidence
90% confidence
Finding
huaweicloudsdksfsturbo>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkiam>=3.1.0
huaweicloudsdkevs>=3.1.0
huaweicloudsdksfsturbo>=3.1.0
huaweicloudsdkobs>=3.1.0
huaweicloudsdkcbr>=3.1.0
Confidence
90% confidence
Finding
huaweicloudsdkobs>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
huaweicloudsdkevs>=3.1.0
huaweicloudsdksfsturbo>=3.1.0
huaweicloudsdkobs>=3.1.0
huaweicloudsdkcbr>=3.1.0
Confidence
90% confidence
Finding
huaweicloudsdkcbr>=3.1.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/ensure_env.py:284