ClawHub

Huawei Cloud Cce Change Impact Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as read-only change-impact analysis, but its packaged dispatcher exposes many cloud and Kubernetes mutation, deletion, remediation, and credential-return actions.

Install only after reviewing the full action surface and use tightly scoped read-only Huawei Cloud credentials if possible. Do not grant production admin credentials unless you intentionally want the bundled administrative and remediation actions available, and avoid invoking unlisted actions through the dispatcher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (115)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The wrapper binds destructive operations such as cluster deletion, node deletion, workload deletion, node-pool resize, and workload scaling into a skill whose stated purpose is change-impact analysis. In an agentic context, exposing mutation and deletion primitives greatly increases the chance that a prompt, misrouting bug, or malicious instruction can turn a read-only analysis workflow into an infrastructure-changing action.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The exported capabilities materially exceed what is justified for forensic or change-impact analysis, including infrastructure-management functions that can alter or destroy CCE resources. This violates least privilege and expands the blast radius from information gathering to service disruption or irreversible data-plane/control-plane changes.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The module docstring describes the script as only querying resources and monitoring data, but the bound functions include deletion and scaling operations. This mismatch can mislead reviewers, operators, and higher-level agents into granting trust or permissions inappropriate for the actual behavior, making accidental misuse more likely.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file is part of a skill described as a change-impact analyzer, but it includes broad AOM control-plane capabilities such as creating, updating, deleting, enabling, and disabling alarm and notification rules. That violates least privilege and creates a dangerous mismatch between declared analysis intent and actual write/destructive behavior, increasing the chance an agent or user invokes state-changing actions during what should be a read-only investigation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can create, modify, enable/disable, and delete AOM alarm and action rules, even though the surrounding skill is framed as an analyzer. An attacker, prompt injection, or operator mistake could suppress alerts, delete notification routes, or create misleading rules, directly undermining monitoring integrity and incident detection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This function performs a real Kubernetes Deployment rollback by calling replace_namespaced_deployment after only a parameter-based confirmation check. That behavior materially exceeds the skill's declared change-impact analysis purpose, creating an unexpected state-changing capability that could be triggered by users or upstream orchestration that believed the skill was read-only.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
auto_remediation_run chains diagnosis, rollback preview/execution, recovery polling, and file output, so the module is not just analyzing changes but orchestrating operational actions. In the context of a skill advertised for change-impact analysis, this is a dangerous capability mismatch that can mislead operators and bypass expected scrutiny for write actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code automatically proceeds from diagnosis to rollback execution when confirm=true and then waits for recovery, effectively operationalizing a corrective action based on inferred cause categories. In an analysis-oriented skill, embedding automatic rollback increases the chance of unintended service disruption or abuse if the skill is invoked under incorrect assumptions about its scope.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill writes a report to any caller-supplied local path via Path(output_file).write_text without path restrictions or explicit disclosure. This can overwrite arbitrary files accessible to the process, which is especially risky when the skill is expected to perform analysis rather than local filesystem modification.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring openly describes remediation orchestration, which conflicts with the manifest's analysis-only framing and signals a capability mismatch. This mismatch is security-relevant because reviewers, users, or policy engines may grant this skill broader trust than is appropriate for code that can mutate production workloads.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file exposes many destructive and state-changing operations—cluster/node/workload deletion, scaling, hibernation, cordon/drain, and EIP binding—despite the skill being described as a change-impact analysis/reporting tool. That mismatch materially increases the chance an agent or user invokes privileged mutation paths unexpectedly, turning an investigative skill into one capable of causing outages or infrastructure loss.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
get_cce_kubeconfig returns full kubeconfig material, including client credentials and YAML, directly to the caller without a strong warning or need tied to the skill's stated purpose. Exposing cluster access credentials enables lateral movement, arbitrary Kubernetes API access, and persistence far beyond change-impact analysis.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
list_cce_secrets can optionally return secret.data for arbitrary namespaces, which exceeds what is needed for impact analysis and exposes highly sensitive material such as tokens, keys, and passwords. This creates a direct credential disclosure path from the cluster to the skill caller.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Arbitrary pod log retrieval can disclose application secrets, personal data, access tokens, or internal topology information present in logs. While logs may sometimes help incident/change correlation, the implementation offers broad access without strong scoping or masking, making it riskier than the manifest suggests.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements active cluster mutation operations such as addon install, update, uninstall, and live reconfiguration, which are outside the stated scope of a change-impact analysis skill. In an agent setting, scope drift from read-only analysis to write-capable infrastructure actions is dangerous because a user invoking an analysis workflow could unintentionally trigger production changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill metadata describes causal attribution and report generation, but the code exposes infrastructure-changing addon management capabilities that can alter cluster state. That mismatch increases the chance of unsafe invocation, privilege misuse, or prompt/agent confusion leading to unauthorized operational changes during what should be an investigative workflow.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This module includes create and delete operations for CCE LogConfig resources even though the skill is described as an analysis/reporting tool. That creates an unnecessary state-changing capability that can alter or disable cluster log collection, undermining observability and expanding blast radius beyond the stated purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can build, create, and delete cluster log collection policies, including all-container collection modes, which is materially broader than change-impact analysis. In a forensic or incident-analysis context, such mutation capability is especially dangerous because it can suppress, redirect, or unexpectedly expand log capture across workloads.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The helper requests short-lived Kubernetes client certificates and uses them to access the cluster API, giving the skill direct infrastructure access not clearly implied by an analysis-only manifest. Even if intended for discovery, this broadens trust boundaries and increases the consequence of misuse or prompt-driven abuse.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements provisioning, deployment, and verification workflows for CCE/CCI bursting rather than change-impact analysis. In the context of a skill advertised for incident attribution and evidence reporting, this is dangerous because invoking the skill could cause real infrastructure changes, charges, and incident contamination instead of performing read-only analysis.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code creates VPCEP endpoints and may auto-resolve route tables, which modifies cloud network resources and can incur cost. In a skill whose stated purpose is analyzing prior changes during incidents, these write actions are especially dangerous because they can alter the environment under investigation and expand blast radius beyond simple observation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section installs and configures the virtual-kubelet addon, changing cluster behavior and scheduling configuration. For an incident-analysis skill, such mutations are dangerous because they can modify the suspected system state, obscure root-cause evidence, and introduce new availability or security issues while the operator expects a diagnostic workflow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code creates or patches namespaces and Deployments to run a smoke workload, which is unrelated to passive change-impact analysis. Even with a confirmation flag, this can consume cluster resources, alter workload state, and contaminate incident timelines, making forensic conclusions less trustworthy.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file belongs to a skill described as change-impact analysis, but it includes destructive cluster lifecycle operations such as deletion. That is a dangerous capability mismatch: an analysis-oriented skill can be used to perform irreversible administrative actions, increasing the chance of misuse, prompt-injection abuse, or operator error.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The kubeconfig retrieval function generates and returns active cluster access material, which is far beyond what is needed for incident change-impact analysis. Exposing kubeconfig in tool output can directly enable cluster access, lateral movement, and privilege escalation if the response is logged, forwarded, or shown to an untrusted caller.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal