ClawHub

Huawei Cloud Cce Auto Remediation Runner

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly aligned with Huawei Cloud CCE remediation, but it exposes cluster credentials/secrets and allows some live infrastructure changes outside its promised confirmation guardrails.

Review this skill carefully before installing. Use only isolated test environments or least-privileged, disposable Huawei Cloud credentials until the credential exposure, TLS verification, secret/kubeconfig export, and missing confirmation gates are fixed. Do not point it at production clusters unless you are prepared for it to read secrets, write local reports/credentials, and make live infrastructure changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (66)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function writes attacker-influenced report content to an arbitrary filesystem path supplied via `output_file` with no validation, restriction, or explicit user warning. In an agent/skill context, this can overwrite local files, drop artifacts in sensitive locations, or persist operational data and credentials-derived context to disk unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function writes the generated markdown report to a caller-controlled path with no path validation, directory allowlist, or safety prompt. In an agent context, this can be abused to overwrite arbitrary files accessible to the runtime, causing data loss, persistence, or tampering with local configuration/artifacts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code automatically fetches Cluster Autoscaler pod logs, including previous crash logs, and incorporates snippets into evidence/report output. Operational logs commonly contain sensitive infrastructure details, error payloads, endpoint data, and sometimes secrets or tokens, so collecting and exposing them without explicit consent or redaction creates a confidentiality risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The get_cce_kubeconfig function returns full kubeconfig material, including client certificate/key data and endpoint details, directly to the caller without any preview-only flow, confirmation gate, masking, or explicit danger warning. That kubeconfig is an active cluster credential, so exposing it enables cluster access outside the intended skill workflow and can be used for follow-on actions well beyond the immediate request.

Missing User Warnings

High
Confidence
99% confidence
Finding
The list_cce_secrets function can return Kubernetes Secret contents when include_data=true, with no confirmation barrier or warning despite the data often containing tokens, passwords, certificates, and API keys. This creates a direct secret exfiltration path to any caller able to invoke the skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
install_cce_addon performs a live remote mutation against a CCE cluster by calling create_addon_instance, but the function has no preview/confirm gate and no interface signal that this is a destructive or state-changing action. In this skill's context, that is especially risky because the skill metadata explicitly says mutation actions must use a preview-first, confirm-required workflow, so this function can bypass the intended safety control if invoked directly by an agent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
update_cce_addon sends an update_addon_instance request that changes live cluster addon configuration, yet it lacks any explicit confirmation requirement or preview step. Because addons can affect cluster services and behavior, an agent or upstream caller could apply unintended changes immediately, contrary to the skill's declared preview-first, confirm-required safety model.

Missing User Warnings

High
Confidence
98% confidence
Finding
configure_cce_bursting_addon modifies networking-related addon values and then calls update_addon_instance on a live cluster without any confirmation or dry-run barrier. This is more dangerous than a generic addon update because it changes subnet, VPC-related, and scheduling parameters that can disrupt cluster-to-CCI connectivity, workload placement, or operational availability if misused or incorrectly parameterized.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code explicitly disables TLS certificate verification for Kubernetes API access by setting verify_ssl = False before using cluster-issued client credentials. In this remediation-oriented skill, that allows a man-in-the-middle on the network path to impersonate the API server, intercept credentials, or influence cluster operations and log configuration changes.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
`cce_auto_inspection` automatically escalates from quick check to deep diagnosis whenever an anomaly is detected, causing additional API calls and broader data collection without an explicit confirmation or warning gate. In an agent setting, this can lead to unintended network activity, higher cloud API consumption, and collection of more operational metadata than the caller may expect, especially when invoked from cron or automated workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When include_raw is enabled, the function writes a full raw Kubernetes inventory to disk, including detailed nodes, pods, workloads, labels, annotations, and cluster topology. In a remediation/operations skill context, that data can expose sensitive internal infrastructure details and workload metadata to local users, logs, backups, or other processes without any built-in warning, redaction, encryption, or access-control safeguard in this file.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code writes reports and history records to disk, including cluster scope, elasticity details, recommendations, and file paths, without any built-in disclosure, consent gate, or minimization control visible in this file. In an infrastructure-remediation skill, silent persistence of operational metadata can expose sensitive environment information to other local users, backup systems, or downstream tooling if the output path is shared or insufficiently protected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function collects cloud and Kubernetes data such as clusters, nodes, nodepools, deployments, HPAs, metrics, and AOM discovery results, and when include_raw is enabled it persists full raw API responses to disk. These raw files can contain sensitive infrastructure metadata that materially increases reconnaissance value for an attacker and may expose internal topology, scaling bounds, namespaces, workload names, and operational state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function retrieves cluster kubeconfig material and returns it directly, including a serialized YAML form, without any confirmation gate, redaction, or user-facing warning. In an auto-remediation skill context, kubeconfig is highly sensitive because it can grant administrative access to the cluster, so exposing it as a normal read operation materially increases the risk of credential disclosure and follow-on cluster compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code writes summarized analysis results and, optionally, raw API responses to disk under a caller-controlled output directory without any built-in warning, redaction, or sensitivity checks. Because the collected data can include cluster inventory, pod names, namespaces, HPA details, metrics, and potentially other operational metadata, it creates a real confidentiality risk if written to shared, insecure, or unintended locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file exposes a mutation primitive that patches a Deployment's replica count directly once the function is invoked, with no built-in preview, warning, or confirmation gate inside the function. In this skill's context, scaling is an operationally impactful remediation action, so missing an explicit confirmation mechanism increases the risk of accidental or unauthorized production changes, outages, or cost impact.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code writes kubeconfig material containing cluster access credentials to a predictable path under /tmp, which is commonly shared and may be readable by other local users, processes, or leftover after crashes. That creates a credential exposure risk that can lead to unauthorized cluster access and follow-on compromise of workloads and secrets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a second instance of persisting kubeconfig with cluster credentials to /tmp before loading it into the Kubernetes client. Repeating the same pattern in a mutation-capable workflow is especially risky because exposed credentials can be used not just for read access but to change cluster state.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code explicitly disables TLS certificate verification for Kubernetes API connections with `configuration.verify_ssl = False`. This allows machine-in-the-middle interception or redirection of cluster management traffic, which is especially dangerous here because the same session also uses client certificate authentication and performs mutation-capable operations against the cluster.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code constructs shell command strings for subagents that inline `ak` and `sk` directly into the command text. This exposes cloud credentials to logs, process listings, downstream agents, transcripts, and any tool that captures or echoes command arguments, which can lead to full compromise of Huawei Cloud resources accessible by those keys.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The subagent prompt explicitly includes raw `ak` and `sk` values in the text returned to another agent. Prompts are commonly logged, stored, inspected, or replayed, so embedding long-lived cloud secrets in prompt content materially increases the chance of credential disclosure and unauthorized cloud access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The list_cce_secrets function can return Kubernetes Secret data when include_data=True, exposing base64-encoded secret contents directly to the caller with no guardrail, warning, or redaction. In this skill context, the code is part of an auto-remediation runner with broad cluster access, so returning secret material substantially increases the chance of credential leakage through tool output, logs, or downstream agent handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The create_cce_node function performs a state-changing infrastructure provisioning action without any preview or confirm gate, unlike delete/cordon/drain operations elsewhere in the file. In an auto-remediation runner, this increases the chance of unintended node creation, cost impact, and unauthorized capacity changes if the function is invoked by an agent or prompt-driven workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function writes the generated markdown report to a user-controlled path via Path(output_file).write_text(...) with no path validation, sandboxing, or confirmation gate. In an agent context, this can overwrite arbitrary files accessible to the process, potentially clobbering configuration, credentials, logs, or other sensitive local artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function writes the generated report to a caller-controlled `output_file` path with no path validation, directory restriction, or overwrite protections. In an agent skill context, this can be abused to overwrite arbitrary files accessible to the process, which is more dangerous because the skill handles infrastructure operations and may run with elevated filesystem privileges in automation environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal