ClawHub

Huawei Cloud Cce Cci Bursting Deployer

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a narrow Huawei CCE-to-CCI bursting helper, but its shipped command dispatcher exposes much broader cloud and Kubernetes administration powers.

Review this before installing. Only use it with tightly scoped Huawei IAM and Kubernetes RBAC credentials that allow the documented CCE-to-CCI bursting workflow, not broad cluster admin, Secret read, monitoring-admin, EIP, HSS, ELB, or deletion permissions. Treat any use of confirm=true as a production change and consider removing or isolating the unrelated dispatcher actions before trusting it in an agent workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (135)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module docstring claims the script only queries Huawei Cloud resources and monitoring data, but the file later exposes destructive and mutating operations such as cluster, node, and workload deletion and scaling. This mismatch is dangerous because users, reviewers, or calling agents may grant broader trust or permissions based on the stated read-only purpose while the code can actually perform state-changing actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This bursting deployer skill is scoped to CCE-to-CCI elasticity, but the compatibility alias table exposes broad management actions across compute, IAM, storage, networking, ELB, and monitoring. Excess capability increases blast radius: if invoked incorrectly or abused, the skill can enumerate or alter unrelated resources beyond the user’s expected task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes unjustified cloud inventory and control functions such as IAM project listing, network/security inventory, storage metrics, AOM alarm access, and load balancer operations. In the context of a narrowly scoped bursting deployer, these capabilities create unnecessary privilege concentration and enable broad reconnaissance or misuse if the skill is compromised or prompted outside intended workflows.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file declares a security constraint forbidding persistence of authentication material to the filesystem, yet helper logic writes client certificate and key data from kubeconfig into files for Kubernetes client use. Even if intended as temporary files, this creates exposure through local file access, backup tools, crash artifacts, race conditions, or incomplete cleanup, directly contradicting the stated control.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module exposes broad AOM administration features including alarm creation, modification, enable/disable, and notification-rule management that are not required for a skill scoped to CCE→CCI bursting deployment and diagnostics. In an agent setting, excessive capabilities increase blast radius: a prompt or tool invocation intended for troubleshooting could be steered into altering monitoring posture, suppressing alerts, or deleting notification infrastructure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can delete AOM action/notification rules, which can disable operational alert delivery by removing SMN-backed notification paths. That is a destructive control-plane action unrelated to the skill's stated purpose, so if misused it could silently blind operators to outages or security events.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file supports creating, updating, enabling, disabling, and deleting AOM alarm rules across enterprise projects, which allows the agent to materially change detection coverage and incident visibility. Even with confirm flags, these are powerful write operations beyond bursting diagnostics, so the mismatch between declared scope and actual capability creates a privilege-expansion risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code writes report_markdown to Path(output_file).write_text(...) using an unvalidated user-controlled path. This can overwrite arbitrary files accessible to the process, enabling local file clobbering, tampering with configs or logs, and possible follow-on impact depending on runtime privileges.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements broad Huawei CCE and Kubernetes administration capabilities far beyond the declared purpose of enabling and diagnosing CCE→CCI bursting. The excess scope materially increases the blast radius of the skill, exposing cluster lifecycle, workload mutation, credential extraction, and network exposure operations that a bursting-focused skill should not need.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can enumerate Kubernetes Secrets and optionally return secret data, which may include credentials, tokens, certificates, and application secrets. For a bursting deployment skill, this is unjustified credential access and creates a direct path to compromise workloads, cloud resources, or lateral movement.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function returns kubeconfig content and YAML containing client credentials for cluster access. Exposing these credentials through skill output enables full cluster access outside the intended workflow and can be used to persist unauthorized administrative control.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Binding or unbinding a public EIP to the cluster control plane changes the public exposure of the Kubernetes API server. This can accidentally expose an administrative endpoint to the internet or disrupt access, and it is unrelated to the stated bursting-only purpose of the skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill can hibernate and awake entire clusters, affecting workload availability and billing state. Those lifecycle controls are broader than bursting deployment/diagnostic needs and enable unnecessary service disruption if misused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code supports destructive deletion of clusters, nodes, and workloads, which can cause immediate denial of service and data loss. Even with confirmation flags, these capabilities are outside the documented bursting-focused scope and significantly increase risk.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file implements APM Java agent injection, secret creation, and workload mutation even though the skill is described as a Huawei CCE-to-CCI bursting deployer. That scope mismatch is dangerous because it hides a powerful workload-modification capability inside an unrelated skill, increasing the chance of unauthorized instrumentation, unexpected rollouts, and credential placement in clusters where users did not intend observability changes.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code builds a patch that adds init containers, volume mounts, environment variables, and a javaagent to application workloads, which is unrelated to the stated bursting purpose. In this skill context that is more dangerous because operators invoking a bursting tool would not reasonably expect application instrumentation and pod-template mutation, making accidental production rollout changes more likely.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The docstring says 'Preview-first APM Java probe injection for CCE workloads,' but confirmed execution performs live secret upserts and workload patching. While there is a confirm gate, the descriptive framing can still understate the operational impact and mislead reviewers or users about the fact that this code mutates running workloads and triggers rollouts.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file adds broad application-log and audit-log management capabilities, including discovery, querying, analysis, and log configuration management, which materially exceeds the declared purpose of a CCE-to-CCI bursting deployer. Scope creep is dangerous in agent skills because it grants operators an unexpected path to inspect cluster activity and modify logging configuration, increasing the attack surface and enabling unauthorized reconnaissance or operational changes under a misleading skill label.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code auto-discovers audit log streams and analyzes Kubernetes audit events, including users, verbs, resources, namespaces, URIs, source IPs, and status codes. In the context of a bursting deployment skill, this is an unrelated high-sensitivity capability that can reveal privileged operational telemetry and support reconnaissance about cluster activity and identities.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code can create and delete LogConfig custom resources, directly modifying cluster log collection behavior. That is a powerful administrative capability unrelated to CCE-to-CCI bursting and could be abused to disable visibility, redirect logs, or expand collection to additional workloads, making the mismatch between declared purpose and actual power especially risky.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file adds a generic CCE availability auditing capability that is outside the stated purpose of a CCE→CCI bursting deployer skill. In an agent context, out-of-scope cluster reconnaissance materially increases data access and operational reach, which can expose sensitive topology, workload, and control-plane information without the user expecting that behavior.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This code enumerates nodes, pods, workloads, PDBs, services, ingresses, cluster info, and node pools across the cluster, which is unrelated to enabling or validating CCI bursting. Such broad inventory collection creates an unnecessary reconnaissance surface and can leak sensitive environment structure, service exposure, and operational posture if the skill is invoked in a trusted automation flow.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The implementation performs broad availability auditing, including control-plane health, node AZ spread, workload placement, PDB coverage, probes, and resource-ratio analysis, none of which are justified by the skill's declared bursting-deployer purpose. In a skill ecosystem, hidden secondary auditing behavior is dangerous because users may authorize the skill for one task while it silently performs much broader cluster analysis.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function is documented as a read-only scan, but it can write reports and optionally raw inventory to disk. This mismatch can mislead operators and higher-level agents about side effects, causing sensitive cluster data to be persisted where users did not expect any local artifact creation.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file implements broad cluster lifecycle operations including create, delete, hibernate, awake, and master EIP management, which materially exceed a skill advertised as focused on CCE-to-CCI bursting configuration and verification. Scope expansion is dangerous because it gives the skill destructive and high-impact control-plane capabilities a user may not reasonably expect, increasing the chance of accidental or unauthorized infrastructure changes through the agent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal