ClawHub

Huawei Cloud ModelArts Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Huawei Cloud ModelArts management skill, but it can change or delete cloud resources and return sensitive exec login data without consistent safeguards.

Install only if you intend to let an agent administer Huawei Cloud ModelArts resources. Use least-privilege, non-production credentials first, verify project and region before mutating calls, and require explicit human confirmation outside the skill for delete, batch delete, reinstall OS, change OS, workspace, quota, and authorization actions. Treat exec login results and any cluster token as sensitive secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises broad networked cloud-management capabilities but does not declare permissions accordingly. This weakens review and consent boundaries, making it easier for a user or host system to underestimate the skill's ability to enumerate, modify, or delete remote resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest description presents a comparatively narrow integration, while the documentation exposes extensive administrative and destructive operations across multiple Huawei Cloud services. This mismatch can mislead operators and automated reviewers, causing the skill to be enabled in contexts where its real power to create, alter, or destroy infrastructure is not expected.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest omits destructive and administrative actions even though the documentation advertises create, update, stop, delete, batch operations, and authorization management. Hiding these capabilities increases the risk of accidental or unauthorized high-impact actions because consumers may not realize the skill can perform them.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest omits destructive and administrative actions even though the documentation advertises create, update, stop, delete, batch operations, and authorization management. Hiding these capabilities increases the risk of accidental or unauthorized high-impact actions because consumers may not realize the skill can perform them.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file documents that deletion should only occur after an explicit `confirm=True`, but the bulk helpers call `ma_train_job_delete(job_id)` without any confirmation flow and still present themselves as deletion utilities. This creates a misleading and unsafe interface contract: callers may believe they are using a safe bulk-delete helper while confirmation is inconsistently enforced at higher layers, which can lead to accidental destructive operations if the confirmation guard is later bypassed or refactored incorrectly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation lists many destructive operations such as delete, stop, batch actions, and authorization changes without warning about resource loss, downtime, or cost impact. In an agent setting, lack of cautions and preconditions increases the chance of unsafe execution of high-impact operations.

Missing User Warnings

Low
Confidence
72% confidence
Finding
Environment-variable authentication is documented without warning that AK/SK values are highly sensitive and may leak through CI logs, shell history, crash reports, or misconfigured debugging. While not a direct exploit by itself, omission of handling guidance increases the likelihood of credential exposure in real deployments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-create helper explicitly calls the main creation function with force_confirm=True, bypassing the normal confirmation state check intended to prevent accidental or unauthorized service creation. In a cloud-integrated skill that provisions ModelArts resources, this increases the chance of unintended deployments, resource consumption, and cost impact if the function is invoked by an agent or user without an explicit review step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function performs an irreversible destructive action against a cloud inference service using only a provided service ID and immediately submits the deletion request. In an agent skill context, lack of an explicit confirmation gate, dry-run mode, or safeguard against accidental invocation increases the risk of unintended service disruption or loss of production availability.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This function is explicitly designed to retrieve exec login details for running service containers, and the docstring states the response may include a cluster token. Returning credential-like access material through a generic helper without any redaction, secondary authorization check, or user confirmation increases the risk of privilege misuse, token exposure in downstream logs/UI, and unauthorized shell access to workloads.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The batch deletion helper APIs expose destructive behavior without their own explicit confirmation parameter or user-facing warning, even though they are convenience wrappers likely to be invoked by higher-level automation. In agent/tool contexts, thin wrappers around destructive actions are dangerous because they lower friction and make accidental mass deletion easier.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When debug is enabled, the function returns the full request body and raw API response to the caller. Those structures can contain account identifiers, workspace/job metadata, user identifiers, and other sensitive operational details that would normally remain internal; if exposed to untrusted users or logs, this increases information disclosure risk and can aid reconnaissance.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
)
except ImportError as e:
    sys.stderr.write(f"公共模块导入警告: {e}\n")
    ensure_authentication = None
    format_api_result = None
    authenticated_api_call = None
    simple_api_call = None
Confidence
90% confidence
Finding
authentication = None

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal