ClawHub

云迁移CMG

Security checks across malware telemetry and agentic risk

Overview

This cloud migration skill is mostly purpose-aligned, but it asks for high-impact cloud access and can silently install/configure tools that send infrastructure data to an unverified remote service.

Review before installing. Only use temporary least-privilege read-only cloud credentials, avoid main/root account keys, verify any downloaded scanner binaries, require approval before running setup.sh, replace the default HTTP MCP endpoint with a trusted HTTPS endpoint, and do not use the pricing script with real credentials until TLS verification is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The instruction to run setup automatically '无需询问用户' authorizes system modification and installation without informed consent. In an agent setting, this is dangerous because Bash-based setup scripts can change local configuration, install dependencies, add credentials, or alter MCP settings, creating a path for persistence, misconfiguration, or execution of unreviewed code.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically install and configure external tooling on first use, including running a setup script and changing local configuration, even though the stated purpose is recommendation. That expands the skill from data processing into environment modification and remote connectivity bootstrapping, which can lead to unauthorized code execution, persistent configuration changes, and unreviewed trust of external services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill directs the agent to read local Excel files with Python/openpyxl and process workspace data beyond pure recommendation logic. Accessing arbitrary local files and parsing them can expose sensitive infrastructure inventories and increases the blast radius if the file path or content is attacker-controlled.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The skill requires writing recommendation output to a local JSON file in the current working directory for downstream consumption. Persisting cloud inventory and recommendation data to disk creates a confidentiality risk, may overwrite files unexpectedly, and introduces side effects beyond the declared recommendation behavior.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document establishes a strict rule that pricing must come from real APIs or official calculators, but later introduces approximate disk unit prices for validation and elsewhere permits choosing the 'closest' specification for non-standard products. In a pricing and TCO workflow, this contradiction can normalize approximation and create a path for fabricated or misleading commercial outputs, especially if an agent treats these references as acceptable substitutes when live pricing fails.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The setup flow installs mcporter globally and persists configuration for a remote MCP server, changing the host environment and enabling future remote interactions. That behavior is broader than a simple local helper/check script and is risky because it occurs automatically without a trust/consent gate, increasing supply-chain and unintended outbound connectivity exposure.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script hard-codes a default remote server as a raw IP address and uses it whenever the user does not specify a URL. This creates implicit trust in an external endpoint, can direct traffic to an unexpected service, and makes the skill more dangerous because the migration/recommendation context normalizes connecting to cloud resources and remote tooling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Aliyun client explicitly disables hostname checking and certificate validation for HTTPS requests. Because this tool handles cloud access keys, secrets, inventory data, and pricing requests over the network, a man-in-the-middle attacker could intercept credentials, tamper with API responses, or redirect requests without detection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases such as '帮我推荐' and '给我推荐', which can accidentally activate a skill capable of shell execution, browser access, remote MCP calls, and pricing workflows in unrelated conversations. Over-broad activation increases the chance that sensitive cloud migration logic or setup actions are invoked in the wrong context, potentially leading to unintended data handling or environment changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill allows automatic environment setup and configuration changes, but this system-changing behavior is not disclosed in the description users see when deciding whether to invoke it. Hidden side effects are especially risky in security-sensitive environments because users may expect assessment guidance only, while the skill can instead install or configure tooling and connect to remote services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance instructs users to configure source-side AK/SK and endpoint connection information for migration tasks, but it omits any warning about secure credential handling, least-privilege access, secret storage, or the risk of data loss/overwrite during transfer. In a migration skill, this omission can lead users to expose highly privileged cloud credentials or perform destructive data movement without understanding operational risks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup flow explicitly writes configuration into ~/.mcporter/mcporter.json and says no user confirmation is needed. Writing persistent config into the user's home directory without consent is dangerous because it silently changes trust relationships and can reroute future tool invocations to attacker-controlled or unreviewed endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill says execution occurs by calling a remote MCP server in real time, but it does not provide a clear privacy/security warning that user-supplied infrastructure details, resource inventories, and sizing data will be transmitted externally. In this context, cloud topology, instance specs, and regional deployment details are often sensitive business information and may materially increase attack exposure if disclosed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to place long-lived cloud credentials directly into a local config.yaml file and execute a downloaded scanner, but it provides no guidance on secure storage, file permissions, rotation, or use of temporary/read-only credentials. In the context of multi-cloud inventory scanning, these keys can expose broad cloud visibility and potentially more if over-privileged, making accidental leakage via source control, shared directories, backups, or endpoint compromise a realistic risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs a global npm installation and writes persistent mcporter configuration without prompting the user or requiring explicit approval for those changes. This is dangerous because it silently alters the system state and establishes future trust in a remote service, which can be abused if the package or endpoint is compromised.

Missing User Warnings

High
Confidence
99% confidence
Finding
Disabling TLS verification without warning removes the primary protection against endpoint impersonation and response tampering. In the context of a migration and pricing tool that transmits cloud credentials and processes infrastructure metadata, this materially increases the risk of credential theft and falsified pricing or inventory results.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal