ClawHub

Huawei Cloud OBS SDK

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Huawei OBS SDK guide, but it includes copy-pasteable cloud storage actions that can expose or delete data without enough safeguards.

Review this skill carefully before installing or copying examples into automation. Use least-privilege OBS credentials, avoid broad account keys, add explicit confirmation and list-before-delete checks before any deletion, do not use the public-read ACL example unless the bucket is intentionally public, and validate lifecycle rules against retention and backup requirements before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly advertises destructive operations such as deleting buckets and objects but does not warn about irreversible deletion, versioning implications, or the need for confirmation and backup checks. In an agent context, this increases the chance that a user or downstream automation invokes deletion actions without understanding data-loss consequences, especially because the skill is positioned as an operational guide for production storage management.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example provides a helper that grants Group.ALL_USERS read access to a bucket, effectively making bucket contents publicly accessible, but it does not include any warning, guardrail, or discussion of data exposure risk. In an SDK usage guide, this can normalize insecure defaults and lead users to expose sensitive objects or metadata unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal