ClawHub

Huawei Cloud Ges Graph

Security checks across malware telemetry and agentic risk

Overview

This skill is a real cloud database operator with destructive graph and storage powers that are only partly guarded or disclosed.

Review before installing. Use only with least-privilege Huawei Cloud credentials, preferably read-only unless mutation is required. Avoid production credentials until TLS verification, destructive-action confirmations, OBS/file path restrictions, and clearer scoping are added. Do not store long-lived AK/SK or passwords in a repository or shared .env file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents executable Python/Node flows that read environment variables and files and perform outbound network requests, yet no explicit permissions are declared. This creates hidden capability expansion: an agent or reviewer may treat the skill as low risk while it can access credentials, local config, and remote services. In a skill that can operate a live graph database, undeclared capabilities materially increase the chance of unsafe invocation and poor policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as an access guide, but the content shows it can authenticate with cloud credentials, execute live queries, manage OBS objects, import/export data, create indexes, and clear the entire graph. That mismatch is dangerous because users and orchestrators may invoke it expecting documentation-only behavior, while it can perform privileged, destructive operations against production cloud resources.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill states that direct API calls are prohibited, but later demonstrates a low-level `_request` call for GQL execution. Contradictory safety guidance undermines operator trust and can cause agents to bypass intended wrappers, logging, validation, or guardrails provided by the approved execution path.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The confirmation guidance references `clear_graph()`, but the documented dangerous interface later uses `clear_all_memories()`. This naming inconsistency weakens safety controls because automated checks, reviewers, or agents may look for the wrong method name and fail to apply confirmation requirements to the actual destructive operation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata says it is an access guide for Huawei Cloud GES, but the implementation includes a full OBS client with object listing, upload, download, and deletion plus local filesystem writes. This expands the tool's authority well beyond the declared graph-database scope, increasing the chance that an agent or user invokes storage and file-transfer operations without understanding the added risk surface.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code loads sensitive credentials from environment variables and a local .env CSV file, including passwords, access keys, and secret keys. While common in SDK code, this is more sensitive than expected for a simple terminal access-guide skill and creates a credential-handling surface that could expose secrets through misconfiguration, unintended reuse, or broader agent access.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation goes far beyond a read-only access guide and exposes persistent graph mutation, deletion, import/export, and clear-graph administration operations. In an agent skill context, this scope expansion is dangerous because a user or prompt injection could trigger destructive actions against production graph data that the metadata does not clearly signal.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill embeds a separate object-storage client with upload, download, delete, and listing capabilities that are not necessary for a narrowly described GES terminal guide. This broadens the blast radius from graph operations to remote file exfiltration and deletion in OBS, increasing the chance of unintended data movement or destructive storage actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes broad, generic graph-database phrases that could match ordinary user questions. Because this skill can execute live graph operations, ambiguous invocation scope raises the risk of accidental activation and unintended queries or data-modifying actions in the wrong context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to provide AK/SK, passwords, and tokens via environment variables or config files but does not include strong secret-handling guidance. This omission increases the risk of credentials being stored insecurely, committed to repositories, exposed in logs, or left in world-readable files, especially since the skill also reads from `.env`-style locations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Node deletion is exposed as a direct operation with no built-in confirmation, dry-run, or safety guard. In an agent context, this makes accidental or prompt-induced destructive actions easier, especially because the skill is framed as an operational helper for live graph administration.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Edge deletion is executed immediately without any warning or user confirmation. In interactive or automated agent use, this can lead to unintended graph modification and loss of relationship data, especially when parameters are generated from natural-language requests.

Missing User Warnings

High
Confidence
96% confidence
Finding
The clearGraph method can wipe the entire graph via API or Cypher with no confirmation, safeguard, or environment restriction. This is highly dangerous in a production administration skill because a single mistaken invocation can cause irreversible large-scale data loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The OBS deleteObject method performs irreversible remote object deletion with no warning or confirmation. Because the same skill also manages credentials and storage access, an agent misuse or prompt injection could lead to unintended cloud data removal.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The downloadFile method writes remote data directly to an arbitrary local path without warning or guardrails. In an agent setting, this can overwrite local files or plant untrusted content on disk, extending impact from remote data access into local filesystem modification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Remote content is written directly to an attacker-controllable local path without validation, sandboxing, or confirmation. In an agent environment, this can overwrite arbitrary files accessible to the process, enabling data loss, tampering, or planting of malicious content.

Missing User Warnings

High
Confidence
91% confidence
Finding
The skill exposes direct remote object deletion with no confirmation, scoping, or policy enforcement. In an agent setting, prompt injection or mistaken invocation could irreversibly delete cloud-stored data outside the user’s intended graph task.

Missing User Warnings

High
Confidence
90% confidence
Finding
Node deletion is a destructive persistent operation exposed as a simple helper with no confirmation, authorization checks, or guardrails. Because this skill is intended for agent use, an injected or ambiguous instruction could remove production graph data irreversibly.

Missing User Warnings

High
Confidence
89% confidence
Finding
Edge deletion can silently alter graph semantics, permissions, lineage, or relationships without any approval workflow. In a graph-backed memory or knowledge system, removing edges can be as damaging as deleting nodes because it corrupts the structure used for reasoning and retrieval.

Missing User Warnings

High
Confidence
97% confidence
Finding
Clear-graph is an irreversible whole-dataset destructive action exposed without confirmation, safety interlocks, or privilege separation. In an agent context, this is especially dangerous because a single mistaken or injected instruction can wipe the entire persistent graph backing the system.

Credential Access

High
Category
Privilege Escalation
Content
edge_path="obs://bucket/edge"
)

# Export graph data (access_key/secret_key are read from .env automatically)
job_id = skill.client.export_graph(
    export_path="obs://bucket/export",
    vertex_set_name="set_vertex",
Confidence
81% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal