Security audit

aliyun-domain

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Alibaba Cloud domain-management purpose, but it grants powerful account authority and some live domain-changing examples and methods lack reliable user confirmation.

Review this skill before installing. Use a least-privilege Alibaba Cloud RAM key instead of full account access where possible, avoid permanent shell-profile secrets, do not run the safe_operation_example.py sample against a live account, require explicit confirmation for transfer, lock, auto-renew, DNS host, registrant, registration, and renewal actions, and redact registrant/domain inventory data before saving reports or sending alerts to email or webhooks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The quick-reference documents DNS modification and domain lock operations that are materially more powerful than the capabilities described in the manifest. This creates a scope-mismatch risk: downstream agents, reviewers, or users may believe the skill is limited to domain lifecycle/help operations while the embedded guidance enables security-sensitive infrastructure changes that can redirect traffic or lock domain management.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The code template provides actionable domain lock operations beyond the stated manifest scope. While locking is generally protective rather than directly destructive, undocumented security-control changes can still alter domain administration state unexpectedly and indicate the skill exposes more authority than users or policy enforcement may anticipate.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The DNS modification template enables direct nameserver changes, a highly sensitive infrastructure action that can reroute websites, email, and related services. Because this capability is not declared in the manifest, it increases the chance of hidden privilege, inadequate review, and unsafe invocation by an agent or user who does not realize the skill can perform production-affecting DNS changes.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The module advertises a double-confirmation requirement for sensitive and financial operations, but many high-impact mutation methods in this range execute immediately without any confirmation gate. In an agent setting, this creates a real risk of unauthorized domain changes, transfer actions, billing changes, or ownership-impacting operations being triggered from a single prompt or tool call.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The example explicitly states that financial operations require an explicit second user confirmation, but then bypasses that control by simulating confirmation and invoking the real registration API with confirmed=True. In practice, example code is often copied into production flows, so this normalizes an unsafe pattern that can trigger unintended billable domain purchases without actual user approval.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The renewal example documents a mandatory confirmation step but skips collecting real user input and proceeds with a live renewal call using confirmed=True. Because renewals are billable operations, this creates a dangerous precedent where a caller can satisfy the safeguard with a hardcoded flag instead of verifiable user consent.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger set contains broad terms such as WHOIS, investment, recommend, bulk, and similar generic phrases that can cause accidental activation during ordinary conversation. Over-broad triggering is risky here because the skill has access to registrar operations, credentials, local files, and networked lookups, so unintended invocation could expose data or steer users into sensitive workflows unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly promotes 'one-click purchase links' that take users directly to Alibaba Cloud purchase pages, but it does not warn that clicking the link navigates to an external commerce flow and may lead to financial actions. In an agent skill that manages domains and already handles financially sensitive operations, normalizing direct buy links without prominent consent and safety messaging increases the risk of unintended purchases or social-engineering-style nudges.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly encourages users to click generated registrar links and purchase immediately, but it does not warn that these links lead to an external transactional flow that can change account state and spend funds. In this skill's context, domain registration, renewal, and similar actions are financially sensitive, so minimizing friction without a clear confirmation/safety notice increases the risk of unintended purchases or social-engineering-assisted transactions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger example uses a very broad natural-language phrase ('帮我看看账号下的域名资产情况') that can overlap with ordinary conversation and cause the skill to activate unintentionally. In a domain-management skill, accidental activation can expose account asset summaries, renewal status, valuation data, and other sensitive operational information without a sufficiently explicit user intent boundary.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The document includes what appears to be real registrant personal data, including a person's name, email address, phone number, and template IDs, without redaction or any privacy warning. In a domain-management skill, this is particularly sensitive because registrant profile data is tied to identity verification and account assets, so exposing examples can leak PII and normalize unsafe handling of customer data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guidance explicitly recommends printing the full raw API response for debugging, which can expose registrant names, emails, phone numbers, status, and other account metadata into logs, terminals, CI output, or support transcripts. Given this skill handles domain registrant and WHOIS-related data, unrestricted raw-response logging materially increases the risk of accidental PII disclosure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README recommends piping monitoring output to email or chat webhooks without warning that domain inventory, expiration status, and WHOIS-related details may be sent to third-party services. This can unintentionally disclose sensitive operational metadata about domains and infrastructure to external systems, especially if the webhook endpoint is misconfigured or less trusted.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Changing the transfer-prohibition lock alters the domain's transfer security posture, yet this method performs the action without any explicit user warning, confirmation flow, or policy check. Disabling a transfer lock can materially weaken protection against unauthorized domain transfer, especially in an automated agent context.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Approving transfer-out is a high-impact operation that can enable loss of control over a domain, but the method executes immediately with no confirmation barrier. In a tool-integrated agent, this makes accidental or malicious prompt-driven domain exfiltration substantially easier.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Canceling a transfer-out is a sensitive state-changing action that affects domain transfer workflow, but the code provides no explicit user disclosure or confirmation. While generally defensive, it can still disrupt legitimate operations or be abused to interfere with account management without user intent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Auto-renew configuration changes future billing behavior and can create recurring charges, but this method executes without confirmation or warning. In an autonomous or semi-autonomous agent, that violates the stated financial-safety model and can cause unapproved costs.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The script writes a full domain asset assessment to a predictable local path without obtaining prior user consent or offering an opt-in/opt-out control. Because the report can contain sensitive inventory information such as owned domains, expiration timelines, and estimated asset values, silent local persistence increases the risk of unintended disclosure to other local users, backup systems, or adjacent tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.