hwc-cli-guidance

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using Huawei Cloud KooCLI, with expected but sensitive credential and cloud-management examples that users should handle carefully.

Before installing or using the examples, verify downloads against Huawei Cloud's official documentation, treat AK/SK values as secrets, prefer CI secret stores or environment variables, use least-privilege IAM keys, and review any cloud-mutating commands before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document recommends environment variables for AK/SK handling, but elsewhere provides a plaintext configuration example containing access keys and secret keys under ~/.hcloud/configure. Even if shown as placeholders, this normalizes storing long-lived secrets in a local file, which can be leaked through backups, world-readable permissions, repo commits, or shared build agents.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The guide instructs users to enter Access Key ID and Secret Access Key but provides no warning about credential sensitivity, secure storage, rotation, or avoiding hardcoding and logging. In a skill meant to onboard users, this omission can normalize unsafe credential handling and increase the chance of secret exposure in terminals, scripts, CI/CD logs, or shared profiles.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal