Aliyun Search 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Alibaba Cloud web search helper that uses user-provided cloud credentials to call the expected search API.

Before installing, use a least-privilege Alibaba Cloud key for UnifiedSearch/OpenSearch only, avoid pasting secrets into chats or committing them to files, rotate keys periodically, and treat returned links and snippets as untrusted web search results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to set long-lived Alibaba Cloud access credentials in environment variables but provides no warning about secret handling, scoping, rotation, or avoiding disclosure in logs and shells. While this is a common setup pattern, the absence of safeguards in security-sensitive documentation can lead to credential leakage, overprivileged key usage, or reuse of production secrets in unsafe environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal