ClawHub

Huawei Cloud Cce Autoscaling Diagnoser

Security checks across malware telemetry and agentic risk

Overview

The skill advertises read-only autoscaling diagnosis, but its bundled dispatcher can retrieve cluster credentials/secrets and perform live cloud or Kubernetes changes beyond that scope.

Review carefully before installing. Use only least-privilege, read-only Huawei Cloud credentials in an isolated environment, and avoid production/admin AK/SK unless the publisher narrows the dispatcher to the advertised diagnostic actions, redacts kubeconfig and Secret values, removes credential echoing in prompts/commands, and adds confirmation gates for all mutations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (71)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The function accepts an arbitrary output_file path, creates parent directories, and writes the generated markdown report there without validating or constraining the destination. In an agent setting, if an attacker can influence this parameter, they may cause unauthorized file creation or overwrite in writable locations, which is a path-traversal/arbitrary file-write risk even though the content is only markdown.

Missing User Warnings

High
Confidence
98% confidence
Finding
get_cce_kubeconfig returns full kubeconfig material, including client certificate and key data, directly to the caller and even serializes it to YAML. That is effectively cluster access credential exfiltration: anyone who can invoke this skill or capture its output can authenticate to the Kubernetes API with the granted privileges.

Missing User Warnings

High
Confidence
99% confidence
Finding
list_cce_secrets can return Kubernetes Secret contents whenever include_data=true, with no secondary confirmation, warning, or redaction. Since Kubernetes Secrets commonly hold passwords, tokens, certificates, and cloud credentials, this creates a straightforward secret disclosure channel.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
bind_cce_cluster_eip exposes the Kubernetes control plane to a public EIP but lacks any explicit warning, confirmation gate, or friction despite materially increasing the attack surface. Publicly reachable API endpoints are more exposed to brute force, misconfiguration abuse, token theft fallout, and internet-origin scanning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`install_cce_addon` performs a state-changing cloud operation that installs software into a live CCE cluster as soon as valid credentials and parameters are supplied. In an agent skill context, the absence of an explicit confirmation gate makes accidental or prompt-induced infrastructure modification materially more dangerous, because the tool can change production cluster behavior without a deliberate second-step approval.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`update_cce_addon` issues a live remote addon upgrade/reconfiguration without any confirmation barrier, which can alter cluster networking, observability, scheduling, or other control-plane-adjacent behavior. In this autoscaling diagnosis skill, that is especially risky because a troubleshooting workflow may unexpectedly transition from inspection to mutation, enabling unintended production changes if user intent is misinterpreted or manipulated.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`configure_cce_bursting_addon` modifies live addon network and scheduling-related configuration, including subnet, VPC-derived settings, and optional feature flags, without any explicit confirmation step. Because these settings affect burst scheduling between CCE and CCI, accidental or adversarial invocation could disrupt workload placement, networking, logging, or scaling behavior in a production cluster.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When include_raw is enabled, the scanner serializes the full Kubernetes inventory to availability-risk-raw-inventory.json on local disk. That inventory can contain sensitive operational metadata such as node names, labels, namespaces, workload names, service mappings, ingress relationships, and pod placement details, which can aid reconnaissance or expose internal infrastructure if the filesystem is shared, logged, backed up, or accessible to other users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When include_raw is enabled, the function writes full raw cloud/API responses for clusters, nodes, node pools, deployments, HPAs, metrics, and AOM discovery directly to disk. These artifacts can contain sensitive infrastructure metadata and operational details, and the code does not gate this behavior with explicit consent, sanitization, encryption, or redaction, increasing the risk of local data exposure or unintended retention.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
History recording persists detailed cluster analysis results, including scope, capacity statistics, elasticity state, recommendations, action notes, and generated file locations, into JSON and JSONL files. Even if credentials are not directly written, this creates a durable inventory of cluster behavior and configuration that may be sensitive in shared environments or on improperly protected hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function retrieves and returns full kubeconfig material, including client certificates/tokens and API endpoint details, directly to the caller without any explicit confirmation gate, masking, or least-privilege restriction. In an agent skill context, this is especially dangerous because it can silently transform a diagnostic workflow into cluster credential exfiltration, enabling unauthorized cluster access if invoked by an untrusted or confused user request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When include_raw is enabled, the code writes unredacted raw API responses from cluster, node, pod, deployment, HPA, and metrics collection directly to disk. Those payloads can contain sensitive operational metadata and potentially credentials-adjacent information, so persisting them without explicit user consent, sanitization, retention controls, or access restrictions increases the risk of local data exposure.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The function writes analysis summaries and Markdown reports containing cluster inventory, utilization, pod, HPA, and autoscaling details to arbitrary output paths without any user-facing disclosure or sensitivity warning. Even if this is less severe than raw-response dumping, these reports still expose internal infrastructure structure and workload information that may be readable by unintended local users or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file exposes a scaling operation that directly changes Kubernetes deployment replica counts via patch_namespaced_deployment_scale without any built-in confirmation, dry-run, or explicit user-facing warning in the function itself. In an agent skill context, this crosses from diagnosis into mutation of production infrastructure, so accidental invocation or prompt confusion could cause service disruption, cost increase, or interfere with autoscaling behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes kubeconfig material to /tmp, which can persist cluster access credentials on local disk in a commonly shared and less-controlled location. If other local users, processes, backups, or crash artifacts can access that file, they may obtain administrative access to the Kubernetes cluster.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Before performing a scaling operation, the function persists kubeconfig to /tmp and then loads it from that path, creating a credential exposure window right before a privileged cluster mutation. Combining stored admin credentials with a write-capable operation increases the blast radius: credential theft could lead to broader unauthorized changes across the cluster.

Missing User Warnings

High
Confidence
99% confidence
Finding
The subagent task generator builds shell command strings that include raw access key and secret key values directly in the command line. Command-line arguments are commonly exposed through process listings, shell history, logs, orchestration traces, and subagent telemetry, so this creates a real credential disclosure path rather than a purely theoretical concern.

Missing User Warnings

High
Confidence
98% confidence
Finding
The prompt-generation function explicitly includes ak and sk values in human-readable execution instructions and in the sample command, which can leak secrets to users, logs, LLM transcripts, subagents, and audit systems. In an agent skill, propagating secrets through prompt text is especially dangerous because prompts are often retained or forwarded far beyond the immediate execution context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function writes client certificate and private key material for cluster access to predictable files under /tmp. Even though cleanup is attempted later, the files may remain if the process crashes or another exception path is taken, and /tmp handling increases exposure to local disclosure or symlink/race issues depending on file creation behavior and permissions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code decodes certificate-authority, client certificate, and client private key material from a generated kubeconfig and writes them to disk using NamedTemporaryFile(delete=False). Although cleanup is attempted in a finally block, the files exist on the filesystem during execution and may be exposed to other local processes, backups, crash dumps, or remain behind if the process terminates abruptly, creating unnecessary credential-at-rest exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The create_node_pool function submits a real cloud state-changing operation immediately once parameters are supplied, unlike resize and delete which require an explicit confirm gate. In an agent skill context, this increases the risk of accidental infrastructure creation, unexpected billing, and unintended cluster changes from ambiguous prompts, prompt injection, or tool misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function writes report_markdown to a user-controlled output_file path with no validation or path restriction. In an agent context, this can overwrite arbitrary files writable by the process, causing integrity loss, clobbering configuration, or writing sensitive operational data to unintended locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`start_ecs_instance` performs a state-changing cloud action immediately when called, unlike the adjacent stop/reboot helpers that require explicit confirmation. In an agent skill context, this increases the chance of unintended infrastructure changes from ambiguous prompts, chaining mistakes, or prompt-injection-induced tool use, especially because powering on instances can incur cost, trigger workloads, or alter incident-state systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Client certificate and private key material from the generated cluster kubeconfig are written to temporary files on disk. Even though cleanup is attempted, the files persist long enough to be exposed to local attackers, crash scenarios, insecure temp directory monitoring, or later forensic recovery, which is especially sensitive because this skill is designed to access Kubernetes clusters for diagnosis.

Missing User Warnings

High
Confidence
99% confidence
Finding
TLS certificate verification is explicitly disabled for Kubernetes API access via configuration.verify_ssl = False. This permits man-in-the-middle interception or spoofing of the Kubernetes API endpoint, enabling credential theft, response tampering, and potentially unauthorized cluster actions during diagnosis.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal