Back to skill

Security audit

huawei-cloud-vod-collector

Security checks across malware telemetry and agentic risk

Overview

This is a real feedback-reporting skill, but it needs review because it can automatically save conversation/error context, install and run third-party login tooling, use local GitCode credentials, and publish feedback externally.

Install only if you are comfortable with automatic feedback capture in the workspace and with reports being sent to the configured GitCode repository. Review and redact .vod feedback files before delivery, avoid storing secrets in prompts or error logs, do not run the AtomGit-GO installer/login unless you trust that project and repository, and consider using an isolated account/token for submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill exposes significant capabilities including file I/O, shell execution, environment access, and network access, but does not declare permissions or present them transparently. This increases the chance of unexpected execution paths and makes it harder for users or reviewers to assess whether local data access, token handling, and external delivery are appropriate.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose is feedback collection, but the documented behavior also installs software, starts local services, reads persisted authentication state, and sends data to an external GitCode repository. This mismatch is dangerous because users may authorize the skill expecting local note-taking while it actually performs credential-related operations and exfiltrates collected content off-host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The template explicitly requires storing full dialog content and assistant chain-of-thought, which is unnecessary for collecting Huawei Cloud product feedback and materially expands the data captured beyond the stated purpose. Capturing internal reasoning and complete conversation history can expose sensitive user data, system prompts, secrets, and protected model internals, creating a serious overcollection and disclosure risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented scope includes collecting assistant reasoning and full conversational context even though the skill is described only as a Huawei Cloud issue/suggestion feedback collector. This mismatch indicates unjustified data collection and increases the chance that unrelated sensitive content is retained or forwarded under the guise of feedback handling.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The configuration enables collection of broad environment data via `collect_environment: true`, which exceeds the narrowly described purpose of capturing Huawei Cloud user issues and suggestions. In a feedback-capture skill, environment metadata can include sensitive contextual information and increases privacy and data-minimization risk if collected without clear disclosure, scoping, or necessity.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The delivery section supports sending captured feedback to an external Git repository and additional channels, but the manifest description only presents this as issue/suggestion capture. Because the skill can export collected content off-platform, users and operators may not realize that prompts, errors, and context can be transmitted to third-party destinations, creating exfiltration and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `_resolve_value` helper treats any CLI value beginning with `@` as a filesystem path and reads that file's contents into the feedback record. That creates an arbitrary local file read primitive for whoever can invoke this CLI, which is broader than necessary for markdown feedback collection and could accidentally or intentionally ingest sensitive files such as tokens, configs, or conversation artifacts into persisted output.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill sends locally stored feedback content to an external GitCode repository, which exceeds the manifest description of merely capturing and distilling developer feedback. Because feedback bodies can include error messages, stack traces, environment details, and user-entered text, this creates a real risk of unintended data exfiltration to a remote service using local credentials.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The batch notify path publishes all pending feedback records to a remote repository in one operation, broadening exfiltration risk beyond a single user-approved report. In this context, multiple historical feedback files may contain stack traces, environment data, and freeform descriptions that users did not expect to be mass-uploaded externally.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill can start and stop a local login server process, a privileged capability not justified by a feedback-collection role and potentially enabling unexpected local service exposure or process manipulation. In skill context this is more dangerous because users invoking a 'report feedback' capability would not reasonably expect background server lifecycle management.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill reads authentication tokens from local AtomGit-GO config files to perform remote actions, which is unrelated to simple feedback capture and creates credential-access behavior far beyond user expectations. In context this is especially risky because it silently repurposes existing local credentials to publish data externally, increasing both exfiltration and account-misuse risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script downloads code from an external repository, compiles it locally, and installs executables into the user's profile, which is far outside the declared purpose of collecting Huawei Cloud feedback. This creates a software supply-chain and unauthorized code execution risk: anyone invoking a feedback-related skill could be induced to fetch and run untrusted code on their machine.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Network cloning and local binary installation are unjustified privileged actions for a reporting/feedback skill, making the mismatch especially dangerous in context. The script performs remote code retrieval via git clone and produces runnable executables, so compromise of the upstream repo or misuse of the skill could lead to arbitrary code execution and persistence in the user's environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script’s behavior is materially inconsistent with the declared purpose of a Huawei Cloud VOD feedback-collection skill. Instead of collecting user feedback, it clones an unrelated external repository and installs executables into the user’s local bin directory, which is a strong indicator of deceptive or unauthorized capability expansion. The skill context makes this more dangerous because users invoking a complaint/reporting tool would not reasonably expect software installation or binary deployment.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code clones software from an external repository and extracts bundled binaries into ~/.local/bin, giving the skill the ability to place executables on the user’s system without justification tied to feedback reporting. This creates a supply-chain and persistence risk: a compromised or swapped repository/archive could deliver arbitrary code, and the installed binaries may later be executed by the user or other tooling. In the context of a feedback/reporting skill, this capability is especially suspicious and unjustified.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script accepts an arbitrary local path, reads the file, and writes sanitized output back to either a chosen destination or the original file. In a feedback-reporting skill, broad local file read/write access is unnecessary and increases risk of unauthorized modification or exposure of local data if the skill is invoked on sensitive paths.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to activate on generic complaints, bug mentions, or dissatisfaction, increasing the chance that the skill runs in contexts where the user did not intend data capture or external reporting. Because the skill can persist dialog and later deliver it externally, unintended invocation materially raises privacy and data handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs extraction and storage of error stacks, user intent, scenario reconstruction, environment details, and dialog context without requiring an upfront user-facing consent or sensitivity review. Even with mention of sanitization, these fields can contain secrets, internal paths, customer data, or credentials, and the risk is amplified because the content may later be submitted to an external issue tracker.

Missing User Warnings

High
Confidence
96% confidence
Finding
Requesting full dialog content and assistant chain-of-thought without any warning, consent boundary, or sensitivity screening creates a high likelihood of collecting confidential or regulated data. Because the template normalizes verbatim retention of broad context, operators may ingest secrets or private information that were never necessary for the feedback workflow.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The field '- [thinking]: <AI chain-of-thought, for assistant turns only>' directly instructs retention of internal assistant reasoning, which is prohibited sensitive model output and not needed for user feedback collection. If followed, it could leak hidden reasoning, policy logic, prompt content, or sensitive derived information into stored records.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Trigger phrases such as `反馈问题` and `这个有bug` are broad conversational language and can activate reporting during ordinary dialogue rather than deliberate bug-reporting workflows. Because this skill also captures context and may deliver data externally, unintended activation can cause unnecessary collection and onward sharing of user content without clear intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document describes automatic capture of user prompts, tool execution results, session identifiers, and timestamps, but does not clearly warn about privacy implications, consent requirements, retention, or data handling boundaries. In an agent-hook integration, this can lead operators to enable collection that unintentionally captures sensitive user data, command output, or secrets from tool stderr/stdout without informed consent or minimization.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
`write_feedback_md` serializes extensive potentially sensitive data to disk, including session IDs, error stacks, user reports, dialog context, agent actions, and environment details. In a feedback-collection skill handling user complaints and Huawei Cloud issues, this can capture secrets, personal data, or internal operational context without any built-in notice, minimization, or consent mechanism.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The same `@file` convenience feature silently reads arbitrary local files and folds their contents into feedback fields. Even if intended to ease multiline input handling, it materially expands data collection scope and can cause sensitive local data to be exfiltrated into markdown records without clear user awareness.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code overwrites feedback markdown files to mark delivery status without any confirmation, backup, or integrity protection. While not remote code execution, it can silently alter local records and erase prior Delivery sections, which is risky in a tool expected to preserve user feedback accurately.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.