Security audit

Volcano Engine Serverless Flink Skill

Security checks across malware telemetry and agentic risk

Overview

This Flink administration skill is mostly legitimate, but it mixes read-only framing with real configuration-changing and credential-sensitive workflows that should be reviewed before use.

Install only if you intend to let an agent help administer Volcano Engine Flink. Use least-privilege credentials, avoid production changes unless you can review each command, require explicit confirmation before create/update/delete/stop/restart/rescale/restore actions, do not paste secrets into chat or SQL/YAML examples, and avoid raw Kafka payload output unless you are sure the messages are safe to expose.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (27)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill claims it is managed under a read-only model, but the documented commands include state-changing operations such as adding, updating, deleting instances and endpoints, and setting defaults. This mismatch can cause an agent or operator to treat the skill as safe for non-mutating use while actually performing persistent configuration changes, increasing the risk of unauthorized or accidental modifications.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill explicitly states it is governed by a read-only convention, but then documents add/remove operations for Kafka instances and endpoints. This mismatch can cause an agent or user to treat the skill as safe for inspection-only use while actually performing persistent configuration changes, increasing the risk of unintended modification or deletion of saved connection settings.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill contains contradictory guidance: it says the agent must only inspect the user-specified task and must not view other tasks, but the workflow instructs the agent to list projects and tasks when the user has not provided a task. In practice, this can cause unnecessary enumeration of unrelated jobs and expose metadata about other workloads, violating least-privilege and tenant/data-minimization expectations.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill explicitly states it is managed as read-only and should not directly modify parameters or tasks, but later sections instruct the agent to proceed with optimization actions after risk confirmation. This creates a misleading safety boundary: an orchestrator or reviewer may treat the skill as safe/read-only while the embedded workflow still enables state-changing operations, increasing the chance of unintended job restarts, rescaling, or config changes in production.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill explicitly states it is managed under a read-only convention, but later includes mutation workflows and concrete `resource-pools create` commands. This mismatch can cause an orchestrator or reviewer to treat the skill as safe for low-risk invocation while it still contains instructions that create billable resources, increasing the chance of unauthorized or accidental state-changing operations.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The manifest scopes this skill to resource-pool operations, but the document expands into enumerating all jobs and inspecting each job's details across the environment. That scope creep can expose unrelated workload metadata and lead the agent to perform broader-than-expected discovery, violating least privilege and surprising users or policy engines that only approved resource-pool access.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The example explicitly sets `properties.ssl.endpoint.identification.algorithm` to an empty string, which disables TLS hostname verification. That allows man-in-the-middle attacks with any certificate chaining to a trusted CA or otherwise accepted by the client, undermining the protection expected from `SASL_SSL`.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a read-only validation/pre-check tool, but it later instructs the agent to create and delete temporary drafts when raw SQL is provided. That introduces write-side effects that users and higher-level orchestrators may not expect, which can bypass least-privilege assumptions and cause unintended state changes or artifact sprawl in the Flink environment.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documentation explicitly says the skill only performs validation and does not modify task state, yet later directs creation and deletion of temporary drafts. This internal contradiction is dangerous because policy engines, users, or agents may trust the declared non-mutating scope and invoke the skill in contexts where writes are prohibited, leading to unauthorized or unexpected resource changes.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill repeatedly states that authentication and account switching are out of scope, but later provides explicit account-isolation and login procedures using `VOLC_FLINK_CONFIG_DIR` and `volc_flink login`. This inconsistency can cause the agent to perform sensitive auth actions in the wrong skill context, increasing the chance of mishandling credentials or bypassing intended separation of duties.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: Although the document says this skill does not handle authentication, it instructs the user/agent to run `volc_flink login` directly in the multi-account section. That contradiction weakens safety boundaries between skills and may lead an automation agent to execute authentication flows where secret-handling rules or approval gates are not enforced.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The routing rules rely on very broad keywords such as '启动、停止、重启、监控、日志、错误' that can appear in ambiguous or unrelated requests. In an operational Flink skill, this can misroute users into action-oriented subskills and increase the chance that the agent proposes or initiates impactful infrastructure actions without sufficient intent confirmation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises operational capabilities like stop, restart, scaling, configuration changes, and savepoint restore/delete without prominently warning that these actions can disrupt running jobs or alter recoverability. In a skill designed to manage live Flink environments, missing guardrails and user warnings materially raise the risk of accidental service interruption or irreversible operational mistakes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly advertises and routes to high-impact operational actions such as stopping, restarting, rescaling, modifying parameters, and deleting/restoring savepoints, but the entrypoint documentation does not require confirmation, environment scoping, or a production-safety warning before such actions. In an agentic setting, this increases the risk that an ambiguous or casually phrased user request leads to disruptive changes in live Flink workloads.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest explicitly defines access key and secret key fields for the LAS Hive client, which encourages direct secret injection into job configuration. In a skill/template context, this is dangerous because secrets may be logged, persisted in configs, exposed in UI/history, or mishandled by downstream tooling, especially in an agent-managed workflow that automates configuration generation.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation shows LAS access credentials being passed as explicit configuration fields (`...las.ak` and `...las.sk`) without any accompanying warning about secret handling, storage, or safe injection. In an operational Flink skill, users may copy this pattern into configs, logs, or source-controlled files, increasing the chance of credential exposure and unauthorized access to the LAS catalog.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill encourages consuming Kafka messages and supports raw JSON output, but it does not warn that sampled records may contain secrets, personal data, tokens, or proprietary business payloads. In an agent setting, this can lead to unnecessary exfiltration of sensitive data into chat transcripts, logs, or downstream tooling during routine debugging.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation shows deletion commands for saved Kafka instances and endpoints without clearly warning that these actions remove persisted connection configuration. Users or agents may execute them as routine troubleshooting steps, causing loss of configuration, broken dependencies, or service disruption for workflows that rely on those saved entries.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documented deletion commands remove Kafka instance and endpoint definitions, which are saved connection configurations, but the skill does not clearly warn about persistence loss or require confirmation. In an agent setting, this can lead to accidental destruction of connectivity metadata and disruption of downstream workflows that depend on those saved endpoints.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill encourages consuming Kafka messages for debugging without a clear warning that message payloads may contain secrets, personal data, or regulated business information. In this context, the danger is elevated because the examples normalize printing raw messages and JSON directly into agent/chat output, which can unintentionally exfiltrate sensitive stream data to logs, transcripts, or unauthorized viewers.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The template includes a sensitive credential field (`bytehouse.gateway.api-token`) directly in example configuration without any warning about secret handling, which can normalize unsafe practices such as hardcoding tokens into SQL files, repos, or logs. In this Flink skill context, users are likely to copy-paste the template into real job definitions, increasing the chance of accidental credential exposure in source control or shared environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The security templates show credentials and truststore passwords embedded inline in SQL properties without any warning about secret handling. In practice, users often copy these patterns directly into repositories, notebooks, or job definitions, which can lead to credential exposure through source control, logs, screenshots, and operational metadata.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The example not only mentions skipping hostname verification but provides the exact insecure configuration to do so, without a prominent warning. Because this is a copy/paste template in a Flink Kafka skill, users are likely to adopt it directly in production, weakening TLS identity validation and enabling interception or redirection attacks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The template includes explicit placeholders for access key and secret key values in SQL catalog configuration, but provides no warning to avoid hardcoding real credentials or to use a secret-management mechanism. In an agent skill context, users may paste live credentials into prompts, files, or job definitions, increasing the risk of credential exposure through logs, chat history, version control, or shared artifacts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template explicitly shows how to place an access key and secret key into the Kafka JAAS configuration (`password="<ak>#<sk>"`) but gives no warning about secret handling, storage, redaction, or safer injection mechanisms. In a Flink SQL skill, users commonly copy templates into notebooks, consoles, repos, or logs, so this increases the risk of credential leakage through command history, saved jobs, screenshots, or version control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal