ClawHub

Huawei Cloud Cce Capacity Trend Forecaster

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Huawei CCE capacity tool, but it exposes undocumented cluster-admin and secret-reading capabilities beyond the advertised forecasting workflow.

Review this before installing as a broad Huawei Cloud operations tool, not just a capacity forecaster. Use least-privilege temporary credentials, avoid passing AK/SK as command parameters, do not enable raw exports unless needed, and do not invoke undocumented actions such as kubeconfig, secret, addon, EIP, nodepool, or remediation commands unless you understand the impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (63)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function writes a generated report to a caller-controlled output_file path using Path(output_file).write_text(...) without any path validation, sandboxing, or restriction to an approved workspace directory. In an agent setting, a user can supply arbitrary filesystem paths and cause unintended file creation or overwrite, which can corrupt local files, poison prompts/configs, or persist data in sensitive locations if the process has sufficient permissions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The get_cce_kubeconfig function returns full kubeconfig material, including client certificate/key data and cluster endpoints, directly to the caller. That grants cluster API access and can enable full cluster compromise if the response is exposed through logs, chat history, or an unintended caller path.

Missing User Warnings

High
Confidence
98% confidence
Finding
list_cce_secrets can return Kubernetes Secret contents when include_data=true, exposing base64-encoded secret material directly to the caller. In an agent setting this is especially dangerous because secrets may be surfaced into transcripts, tool logs, or downstream systems and lead to credential theft and lateral movement.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
get_pod_logs returns raw pod logs without any safety warning or redaction. Application logs commonly contain tokens, PII, internal URLs, stack traces, or customer data, so exposing them directly can leak sensitive information through the skill interface.

Missing User Warnings

High
Confidence
98% confidence
Finding
bind_cce_cluster_eip makes the Kubernetes control plane publicly reachable by attaching an EIP, but it performs this security-sensitive exposure change without explicit confirmation. This can materially increase attack surface for the API server and enable internet-originated attacks against cluster administration endpoints.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
unbind_cce_cluster_eip changes public API accessibility without explicit confirmation. While usually reducing exposure rather than increasing it, it is still a sensitive network-control action that can unexpectedly disrupt operations or incident response connectivity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The install_cce_addon function performs a live cloud-side state change by creating a CCE addon, but its interface does not require any explicit confirmation or strongly signal that it will mutate cluster state. In an agent/tooling context, this increases the risk of accidental or prompt-induced infrastructure changes, especially because addon installation can affect cluster behavior, networking, monitoring, or scheduling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The update_cce_addon function changes the configuration or version of an existing cluster addon without any confirmation gate. Because addon updates can alter production cluster components and availability, an LLM agent or user could trigger disruptive changes unintentionally or through adversarial prompting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
configure_cce_bursting_addon modifies live addon network and scheduling-related settings for CCE bursting behavior, which is more sensitive than a simple metadata update because it can affect workload placement, networking, proxying, and logging. Without explicit confirmation, an agent could silently reconfigure production cluster behavior, creating outage or misrouting risk if invoked with incorrect or adversarial parameters.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code disables TLS verification for Kubernetes API access with `configuration.verify_ssl = False` while using dynamically obtained cluster credentials. This permits man-in-the-middle interception or endpoint spoofing, which can expose client certificates/keys and allow unauthorized API responses or cluster manipulation. In a cluster-management skill, this is especially dangerous because the code can create and delete LogConfig custom resources against the cluster API.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The audit log query path returns raw audit events, including usernames, source IPs, request URIs, user agents, and the full parsed audit payload in `raw`. Audit logs often contain sensitive operational and identity data, so returning them wholesale without redaction, minimization, or access warnings can leak privileged metadata to downstream callers or logs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function can persist a full raw Kubernetes/CCE inventory to disk when include_raw is enabled, and that inventory contains sensitive operational metadata such as node details, pod/workload names, labels, annotations, services, and ingresses. In a capacity/risk analysis skill, this creates a real data exposure risk because the output path is caller-controlled and there is no warning, consent gate, redaction, or minimization before writing potentially sensitive cluster state to local storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code can persist full raw collection responses from clusters, nodes, nodepools, deployments, HPAs, metrics, and AOM discovery to disk when include_raw is enabled, with no built-in minimization, redaction, or explicit consent mechanism. In this cloud-operations context, those raw artifacts may contain sensitive infrastructure metadata, workload names, topology, scaling configuration, and potentially credentials-adjacent operational details that increase exposure if the host filesystem is shared, backed up, or later exfiltrated.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The history feature automatically writes recurring capacity-analysis records to disk, including scope, elasticity configuration, recommendations, and file references, without any explicit disclosure or retention boundary in the code path. While less sensitive than raw dumps, longitudinal infrastructure records can still reveal operational patterns, scaling limits, and business workload behavior over time, which becomes useful intelligence if accessed by unauthorized parties.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function returns full kubeconfig material, including client credentials and cluster endpoints, directly to the caller without any explicit confirmation, risk warning, masking, or scope restriction. In a skill ecosystem, this is highly sensitive access material that can enable direct administrative access to the Kubernetes cluster if exposed to an unintended user, downstream tool, logs, or prompt transcript.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Binding an EIP to the cluster control plane enables public Kubernetes API exposure, but the function performs the action immediately with no confirmation gate and only a descriptive docstring. This increases the chance of accidental internet exposure of a management interface, which can materially expand the attack surface if network ACLs, RBAC, or API authentication are misconfigured.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When include_raw is enabled, the function writes raw node, pod, deployment, HPA, and metrics responses to disk. In the context of a cluster analysis skill, those artifacts can contain sensitive infrastructure inventory, workload names, namespaces, internal IPs, and utilization data, creating a confidentiality risk if the output directory is shared, persisted unexpectedly, or readable by other users/processes.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The code always writes a summary JSON and Markdown report when output_dir is supplied, without any in-code indication that cluster analysis results will be persisted. Even though this is less sensitive than full raw responses, the report still includes cluster IDs, namespace scope, node utilization, and optimization findings, which may disclose operational details to unintended readers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file exposes a state-changing scaling operation that patches a Deployment's replica count and the CLI can invoke it directly, but there is no explicit user-facing warning, dry-run mode, or confirmation gate in this function. In an agent skill context, hidden infrastructure mutations are dangerous because a diagnostic workflow can unexpectedly alter production availability, cost, or incident state.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code retrieves kubeconfig credentials and writes them to predictable files under /tmp in both CoreDNS checks and workload scaling flows. Kubeconfig commonly contains cluster access credentials or tokens, and storing it in a world-accessible temporary location can leak privileged access to other local users, processes, or later forensic recovery.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code constructs subagent command strings and prompts that include raw access key and secret key values directly in shell command text. This can expose long-lived cloud credentials through logs, agent transcripts, process listings, task metadata, crash reports, or downstream subagents, enabling unauthorized access to Huawei Cloud resources if those values are captured.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The function can return Kubernetes Secret contents when include_data=True, exposing base64-encoded secret material such as tokens, credentials, and keys directly to the caller without any warning, redaction, or scope restriction. In this skill context, the code is intended for capacity and trend analysis, so secret enumeration and disclosure are not necessary for the stated purpose and materially increase the risk of credential theft and lateral movement.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code decodes the client certificate and private key from the cluster credential response and writes them to predictable files under /tmp. Even though cleanup is attempted later, temporary on-disk storage of authentication material increases exposure through local file disclosure, race conditions, process crashes, or incomplete cleanup.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The skill allows caller-supplied cpu_query and memory_query strings to be forwarded directly to the external AOM Prometheus API with no validation, allowlist, or safety constraints. In this context, arbitrary PromQL can be used to query unintended metrics or expand visibility beyond the intended pod/node capacity use case, potentially exposing sensitive operational metadata from the cluster monitoring backend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`create_node_pool` directly performs a state-changing cloud operation that provisions infrastructure and can affect cost, capacity, networking, and cluster posture, but unlike the resize and delete functions it has no `confirm` gate or equivalent dry-run/acknowledgment path. In an agent skill context, this makes accidental or prompt-induced resource creation materially more likely, especially because the surrounding module is intended for capacity planning and autoscaling workflows where an LLM may escalate from analysis into action.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal