AList CLI (Cloud Storage CLI for AList)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AList file-management skill, but it deserves review because it encourages plaintext credential persistence, privileged setup steps, and remote file changes without clear safeguards.

Install only if you trust the publisher and the AList server you configure. Use a least-privilege AList account, avoid saving the password in ~/.bashrc, prefer a non-sudo alias or virtual environment, and require explicit confirmation before delete, move, upload, or public-link actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The onboarding instructs the agent to modify system-wide state by creating a symlink in /usr/local/bin via sudo. That exceeds normal AList file-management needs and can permanently alter the host environment, increasing blast radius if the skill path is replaced or tampered with.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The document recommends persisting ALIST_URL, username, and password in ~/.bashrc, which stores plaintext credentials in a broadly readable and long-lived location. This expands capability beyond the current session and risks credential leakage through shell history, backups, dotfile sync, or later local access.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The OpenAPI spec exposes far more than file-management operations: it includes admin endpoints for users, roles, settings, storage, drivers, and tasks. In an agent skill, the spec defines the agent's callable authority, so this creates a dangerous capability mismatch where a user invoking a 'file management' skill could indirectly trigger privileged administrative actions outside the advertised scope.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The spec includes user-management operations such as listing users, creating users, updating users, deleting users, and cancelling 2FA, which are unrelated to normal file operations. If the agent can access these endpoints, prompt injection, misuse, or accidental invocation could lead to account takeover, user deletion, or privilege manipulation.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill exposes storage and driver administration endpoints that can create, modify, enable, disable, or delete back-end storage definitions, including configurations that may contain secrets or external connection details. This exceeds the stated purpose and could let an attacker reconfigure data backends, redirect file operations, or extract sensitive infrastructure information through the agent.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The spec includes global settings, token listing/reset, and integration configuration endpoints that can expose or rotate permanent tokens and modify system-wide behavior. In an agent context, this is especially dangerous because a seemingly harmless file-management request could be escalated into credential exposure, token invalidation, or persistent reconfiguration of the whole AList instance.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Role and permission administration endpoints allow creation, update, retrieval, and deletion of authorization scopes, which directly control access across the system. Exposing these in a non-admin file-management skill enables privilege escalation paths if the agent is induced to alter role definitions or assign broader permissions indirectly.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Persisting plaintext AList credentials in ~/.bashrc without an explicit warning normalizes unsafe secret handling. Anyone or any process with access to the account, backups, or synchronized dotfiles may recover the credentials and gain file-service access.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The instructions recommend sudo ln -sf into /usr/local/bin without clearly warning that this changes system state outside the skill's normal scope. Even if intended for convenience, privileged filesystem changes can break existing commands or create persistence that survives the session.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger terms are very broad: 'file management', 'upload/download', and 'AList operations' can match many ordinary file tasks unrelated to this specific storage backend. In an agent setting, that can cause over-selection of this skill, leading to accidental uploads, downloads, or remote file operations against a live AList instance when the user only wanted local file handling.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill exposes destructive commands like 'rm' and 'mv' without any warning, safeguard, or confirmation guidance. In an autonomous or semi-autonomous agent workflow, this makes accidental deletion, overwrite, or relocation of remote files more likely, especially because the backend is a real networked storage service rather than a local sandbox.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The rm command performs irreversible remote deletion immediately with no confirmation prompt, dry-run mode, or safeguard against accidental paths. In an agent or automation context, a malformed prompt, typo, or path confusion could delete user data on the remote AList instance without any chance to abort.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal