ClawHub

Huawei Cloud Cce Alarm Correlation Engine

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as an alarm-correlation tool, but the bundled dispatcher exposes many broader cloud and Kubernetes actions, including sensitive credential and cluster mutation capabilities.

Install only after reviewing and restricting the dispatcher/tool exposure. Use least-privilege Huawei credentials limited to AOM alarm operations, avoid passing AK/SK as command parameters, and do not allow this package to access production CCE clusters unless the extra cluster, secret, log, report, and mutation actions are removed or strongly gated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (60)

Missing User Warnings

High
Confidence
99% confidence
Finding
The function returns full kubeconfig material, including client certificate/key data and YAML-formatted credentials, directly to the caller. In this skill context, that effectively hands out reusable cluster-admin-style access material, which can enable unauthorized cluster access well beyond the immediate action requested.

Missing User Warnings

High
Confidence
98% confidence
Finding
The secret-listing function can return secret data content when include_data=true, exposing Kubernetes Secret values directly to the caller. Even if base64-encoded, these values often contain credentials, API tokens, or private keys and should be treated as plaintext secret disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Pod logs frequently contain sensitive application data such as access tokens, session identifiers, user data, stack traces, and internal endpoints. Returning logs without warning, filtering, or scoping controls can leak confidential information to any caller able to invoke the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The install_cce_addon function performs a real remote state-changing operation against a CCE cluster without any built-in safety gate, confirmation flag, dry-run mode, or explicit risk acknowledgment. In an agent skill context, this is dangerous because a natural-language prompt, prompt injection, or mistaken tool invocation could cause unintended addon installation and cluster changes using already-available cloud credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The update_cce_addon function can modify addon versions and arbitrary values on a live cluster with no confirmation or secondary validation. This is more dangerous than a read-only function because misconfiguration, malicious prompting, or accidental invocation can alter production cluster behavior, break observability/networking components, or cause outages.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
configure_cce_bursting_addon performs targeted infrastructure reconfiguration of the virtual-kubelet bursting addon, including subnet, project, VPC-related, and scheduling settings, without explicit approval or safety interlocks. In this skill context, that is particularly risky because the skill is framed around alarm analysis and operations, so an operator may invoke it in troubleshooting flows while the code silently makes consequential network and scheduling changes to the cluster.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code disables Kubernetes API TLS certificate validation by setting verify_ssl to False while using cluster credentials derived from create_kubernetes_cluster_cert. This makes the connection vulnerable to man-in-the-middle interception, allowing an attacker on the network path to impersonate the API server and capture or manipulate privileged cluster operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill decodes client certificate and private key data and writes them to temporary files on disk, increasing exposure of sensitive authentication material. If file permissions, temp directory access, race conditions, crashes, or logging/backup processes expose those files, an attacker could reuse them to access the cluster.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When include_raw is enabled, the code serializes the full Kubernetes inventory to disk, including node names, labels, namespaces, workloads, services, ingresses, and cluster topology. In an agent skill context, this can expose sensitive operational metadata to local storage without clear consent, retention controls, or output redaction, increasing the risk of unintended disclosure to other users, processes, or logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code persistently writes cluster analysis outputs, raw API responses, and history records to disk, including operational metadata and potentially sensitive infrastructure details, without any consent gate, warning, or minimization in this file. In an agent skill context, silent persistence increases the risk of unintended data retention, local disclosure to other users/processes, and leakage of cloud inventory or workload information through report artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function retrieves and returns full kubeconfig material, including client credentials and cluster access details, directly to the caller without any confirmation gate, warning, masking, or least-privilege control. In an agent skill context, this can expose reusable cluster-admin access material through normal tool use, logs, memory, or downstream model output, making unauthorized cluster access much easier.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Binding an EIP exposes the Kubernetes API server publicly, materially increasing the attack surface of the control plane, yet the function performs the action immediately with no confirmation or safety warning. In an agent-driven environment, a mistaken or manipulated invocation could convert a private cluster endpoint into an internet-reachable one without clear operator acknowledgement.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function can persist full raw cluster and metrics API responses to disk when include_raw is enabled, with no built-in minimization, redaction, or explicit warning at the point of use. In a CCE/AOM operations context, those responses may contain infrastructure inventory, pod names, namespaces, node IPs, and potentially other sensitive operational metadata that could be exposed through insecure local storage, backups, or shared workspaces.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes a kubeconfig derived from cloud credentials to a predictable file under /tmp, then loads it for Kubernetes API access. Kubeconfig commonly contains cluster endpoint details, tokens, or client credentials; storing it on disk in a shared temporary location increases the risk of credential theft through local-user access, symlink/race attacks, container escape side effects, or later forensic recovery.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The scaling helper performs a live patch_namespaced_deployment_scale operation directly against the cluster without any built-in confirmation, dry-run, or guardrails. In an agent skill context, this can turn a diagnostic workflow into an unintended state-changing action, causing outages, cost increases, or disruption if invoked with wrong parameters or by prompt confusion.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The code persists a list of abnormal node identifiers to /root/.openclaw/workspace/report without user disclosure or a clear retention policy. While less sensitive than kubeconfig, infrastructure inventory and health data can still aid reconnaissance, and residual files may be exposed to other processes, backups, or later unintended reads.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The subagent task generator constructs shell command strings that include raw access key and secret key values as command-line arguments. Command-line arguments are commonly exposed to process listings, shell history, logs, orchestration metadata, and downstream agents, so this creates a direct credential disclosure path across trust boundaries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt formatter inserts AK and SK directly into natural-language instructions and the example execution command. This unnecessarily propagates secrets into LLM-visible text, transcripts, agent memory, and possibly logs or telemetry, increasing the chance of accidental exfiltration or reuse by other components.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The export function writes the generated inspection HTML report to a local file in /tmp by default without warning or controls. While this is less severe than credential exposure, the report may contain sensitive operational data about clusters, alarms, nodes, and vulnerabilities, and writing it to a predictable local path can enable unintended disclosure on shared systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function can return Kubernetes Secret contents when include_data=True, exposing base64-encoded secret material directly to the caller without any guardrails, warning, or masking. In an agent skill context, this materially increases the risk of credential disclosure because users may invoke the skill for operational troubleshooting and unintentionally retrieve sensitive tokens, passwords, or keys.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Client certificate and private key material are decoded and written to predictable files under /tmp, which can expose sensitive authentication artifacts to other local processes depending on file permissions, race conditions, or cleanup failures. This is especially risky because these files represent cluster access credentials, not just incidental temporary data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The create_cce_node function performs a state-changing infrastructure operation that provisions cloud compute resources without any explicit confirmation gate or strong destructive-cost warning. In an agent skill context, this increases the risk of accidental or prompt-induced resource creation, unexpected spend, and unintended cluster changes because the action can be triggered directly from user input once credentials are present.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The create_node_pool function performs an immediate cloud-side resource creation without a confirmation gate comparable to the safeguards used in resize_node_pool and delete_node_pool. In an agent setting, this increases the risk of accidental or prompt-induced infrastructure creation, leading to unexpected cost, capacity changes, and unauthorized provisioning.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When ssh_key is not provided, the function silently pulls a password from environment-derived state and uses it for node login without explicit user disclosure or confirmation. In an agent-operated cloud skill, this can create nodes with credential material the user did not knowingly authorize for this operation, increasing the risk of unintended secret use and weak auditability around access setup.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function writes report content to a user-controlled path via Path(output_file).write_text(...) without validation, restriction, or confirmation. If an attacker can influence output_file, they may overwrite arbitrary files writable by the process, potentially causing data loss, tampering with local configuration, or planting content in sensitive locations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal