ClawHub

Huawei Cloud Cce Availability Risk Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill claims to be a read-only Huawei CCE risk scanner, but its packaged dispatcher exposes many cluster-changing and sensitive-data actions.

Install only if you are prepared to audit and restrict it as a privileged cloud administration tool, not just a scanner. Use a dedicated read-only Huawei IAM user and Kubernetes RBAC identity, avoid granting permissions for create/update/delete/patch/scale/secret/log access, and do not pass confirm=true unless you intentionally want a production change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (136)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The wrapper binds destructive functions such as delete_cce_cluster, delete_cce_node, delete_cce_workload, resize_node_pool, and scale_cce_workload into the skill surface even though the skill metadata describes a read-only availability scanner. In a delegated agent context, this mismatch is dangerous because another component can invoke these registered actions and cause service disruption, data loss, or unintended infrastructure changes under the guise of a safety assessment tool.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The presence of a dangerous-operation confirmation cache shows the codebase is designed to support write operations unrelated to a read-only risk scanner. A soft in-memory confirmation window is not a strong control in agentic environments because it can be replayed or triggered indirectly, and its existence increases the chance that privileged destructive paths remain reachable.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The top-level documentation claims the script only queries resources and monitoring data, but later aliases expose deletion and scaling capabilities. This documentation-to-behavior mismatch is a security issue because operators, orchestrators, or policy engines may trust the declared purpose and grant broader execution than they would for a mutating infrastructure tool.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file exposes broad AOM management capabilities such as creating, updating, enabling, disabling, and deleting alarm and notification rules, which contradicts the skill’s stated purpose of read-only CCE availability risk assessment. In an agent context, this expands the blast radius from passive inspection to active modification of monitoring controls, enabling accidental or unauthorized changes that can suppress detection or disrupt operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can provision and manage alarm infrastructure unrelated to a scanner’s read-only mission, including alarm creation and updates. This violates least privilege and creates an opportunity for an agent or user prompt to repurpose the skill for persistent monitoring changes that were not expected by operators.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The skill can delete AOM alarm rules and action rules, which is a destructive capability wholly inconsistent with a scanner. If invoked maliciously or by prompt confusion, it could remove alerting and notification paths, blinding operators to outages or attacks and directly harming availability monitoring.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The helper performs a signed HTTP POST that updates alarm enablement despite the surrounding skill context claiming read-only assessment. This mismatch is dangerous because reviewers, users, or orchestrators may trust the skill as non-mutating and grant it wider use or permissions than they otherwise would.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata describes a read-only availability risk scanner, but this module can actively roll back live Kubernetes Deployments when confirm=true. That scope mismatch is security-relevant because callers, reviewers, or policy engines may grant this skill broader trust or permissions than intended, enabling unauthorized state-changing operations against production clusters.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The function accepts an arbitrary output_file path and writes the generated report to that location without any path restriction, validation, or safety boundary. In an agent context, this can lead to unintended file overwrite or data placement in sensitive locations, especially if a user or upstream prompt can influence the path.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The skill is described as a read-only availability risk scanner, but this file exposes numerous state-changing and destructive capabilities including cluster deletion, node deletion, workload deletion, scaling, hibernation, cordon/drain, and network exposure changes. This is a severe scope mismatch because a user or downstream agent invoking a 'scanner' may unintentionally perform destructive actions under the false assumption that the tool is read-only.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to perform risk scanning/reporting, yet it includes a function that returns full cluster kubeconfig material, including client credentials and YAML output. Exposing cluster access credentials is far beyond the minimum permissions needed for availability assessment and can enable direct control-plane access.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The code enumerates Kubernetes Secrets and can optionally return secret data when include_data=true, which is unrelated to availability-only scanning. This creates a direct credential and sensitive data exposure path that can leak application passwords, API keys, certificates, and tokens from the cluster.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Pod log retrieval is not necessary for a read-only availability risk scanner and may expose sensitive runtime data such as credentials, tokens, PII, internal URLs, or stack traces. This broadens the skill from posture assessment into operational data exfiltration.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file exposes install, update, uninstall, and network reconfiguration operations even though the skill is described as a read-only availability risk scanner. This creates a dangerous capability mismatch: a caller expecting passive inspection could be induced into performing destructive or configuration-changing actions on production clusters.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Addon lifecycle management is not justified by the stated purpose of availability risk scanning and materially expands the attack surface. In a security-sensitive agent environment, unnecessary mutation primitives increase the chance of privilege misuse, accidental outages, and deceptive invocation under the guise of analysis.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module docstring advertises addon management functions, directly contradicting the manifest's read-only scanner positioning. This inconsistency is a security-relevant signal because it obscures actual capabilities and makes it easier for dangerous state-changing code to bypass review or be invoked unexpectedly.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module exposes broad application and audit log discovery/query functionality that goes beyond a read-only availability risk scanner. In this skill context, capability drift is dangerous because operators may grant the skill wider access than intended, increasing the chance of unauthorized observability access and misuse of cluster/log data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The create_cce_logconfig_action function can create LogConfig custom resources, which modifies cluster-side log collection state. For a skill advertised as read-only risk scanning, this is an unjustified write capability that could expand log collection, alter telemetry routing, or be abused to capture additional workload logs.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The delete_cce_logconfig_action function can delete LogConfig resources and thereby stop log collection for workloads. In a supposed assessment-only skill, this introduces direct availability and forensic risk because an attacker or mistaken operator could disable logging and reduce detection and incident response visibility.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a read-only availability/risk scanner, but it writes reports, summaries, raw responses, and persistent history to disk. That creates an unintended data persistence channel for potentially sensitive cluster metadata, metrics, topology, and operational state, which increases exposure if the host filesystem is shared, backed up, or later accessed by other users or processes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This module materially exceeds the stated scope of a read-only availability risk scanner. It contains write-capable workflows to provision VPCEP endpoints, install/configure addons, and deploy workloads, creating a clear capability mismatch that could lead operators or downstream agents to perform infrastructure changes when they expected passive assessment only.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can create cloud networking endpoints through `_create_endpoint` and `ensure_cce_cci_vpcep`, which is unrelated to passive availability scanning. In the context of a scanner, this hidden write capability is dangerous because it can alter network topology, incur charges, and expand service reachability if invoked by mistake or through prompt/agent confusion.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `setup_cce_cci_bursting` path installs and configures the `virtual-kubelet` addon, directly modifying cluster behavior despite the skill being described as a read-only risk assessor. This is dangerous because an operator may grant the skill broad access based on the manifest, enabling unintended cluster mutations and configuration drift.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section creates namespaces and creates or patches Kubernetes Deployments, which is an active workload-management capability outside the declared purpose of availability risk assessment. In a scanner context, that mismatch is especially risky because users may not anticipate cluster writes, image pulls, scheduling changes, or cost/operational side effects from simply invoking a scan-related skill.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring openly describes setup, deployment, and verification actions that contradict the manifest's description of a read-only availability scanner. While a docstring alone is not exploit code, this inconsistency is security-relevant because it signals deceptive or careless packaging that can mislead reviewers, approval systems, or agents about the true privileges and behaviors of the skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal