ClawHub

Huawei Cloud Cce Container Migration Planner

Security checks across malware telemetry and agentic risk

Overview

This skill presents itself as read-only migration planning, but its bundled dispatcher exposes real cloud and Kubernetes change actions, so it needs review before installation.

Install only if you intend to grant this package broad Huawei Cloud and Kubernetes administration capability, not just read-only migration planning. Prefer a read-only IAM/RBAC account, avoid production write credentials, do not enable Secret data or log collection unless needed, and review or remove the undocumented mutating dispatcher actions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (260)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The wrapper re-exports destructive operations such as delete_cce_cluster, delete_cce_node, delete_cce_workload, resize_node_pool, and scale_cce_workload even though the skill metadata describes a read-only migration-planning tool. This creates a capability/intent mismatch: any caller that can invoke registered actions may gain write or destructive control over cloud and Kubernetes resources, increasing the risk of accidental or unauthorized modification during what should be a planning-only workflow.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security comments explicitly state that certificates must never be written to disk, but helper logic later writes client certificate and key material from kubeconfig into temporary files. This contradiction is dangerous because operators may trust the documented controls while sensitive Kubernetes client credentials are actually exposed to local disk, backups, forensic tooling, or other processes on the host.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file exposes multiple state-changing AOM operations such as create, update, enable, disable, and delete alarm/action rules, even though the skill is described as read-only migration planning and inventory. In an agent setting, this creates a dangerous capability mismatch: a user or prompt-injected workflow that appears to be planning-only could silently modify or remove monitoring controls, weakening detection and affecting production observability.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The module includes alerting and notification administration, including listing and deleting action rules, which is not necessary for container migration planning. Because notification rules control who gets alerted, these capabilities could be abused to suppress operational visibility or alter incident-routing during a migration, making failures or compromise harder to detect.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code can perform a live Kubernetes Deployment rollback by calling replace_namespaced_deployment when confirm=true, which is materially inconsistent with a skill advertised as read-only migration planning and inventory. In this context, the danger is not just operational risk: a caller, orchestrator, or user who trusts the manifest-level scope may unintentionally grant this skill execution in environments where only assessment behavior was expected, enabling unauthorized production changes.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The auto_remediation_run workflow goes beyond planning by diagnosing, initiating rollback, waiting for recovery, and optionally writing reports to disk. In a migration-planning skill whose declared purpose is assessment and plan generation, bundling active remediation increases the chance of unsafe invocation and privilege misuse because downstream systems may treat the skill as non-mutating when it is not.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file implements operational auto-remediation logic in a skill whose stated scope is migration planning and read-only inventory. That mismatch is dangerous because it expands real authority beyond expected boundaries, making accidental or policy-bypassing production changes more likely in environments where operators selected the skill specifically because it appeared non-invasive.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The function retrieves cluster-autoscaler pod logs and feeds them into diagnostic evidence without any minimization, redaction, or explicit consent flow. Pod logs can contain infrastructure metadata, error traces, internal identifiers, and occasionally secrets or tokens, so collecting them in a migration-planning skill expands data exposure beyond the advertised read-only inventory purpose.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The function writes the generated report to an arbitrary local path supplied by the caller, which can expose cluster diagnostics to unintended filesystem locations. Even though this is not code execution, it creates a confidentiality risk and can overwrite files if higher-level callers pass unsafe paths.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The skill metadata explicitly claims a read-only migration planning/inventory purpose, but this file includes numerous mutating and destructive operations such as deleting clusters/nodes/workloads, scaling workloads, draining nodes, hibernating clusters, and binding public EIPs. This creates a severe capability mismatch that can mislead users or higher-level agents into invoking dangerous actions under the assumption the skill is safe for planning-only use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
A read-only migration planning skill should not mint live Kubernetes client credentials and establish direct Kubernetes API access. Generating kubeconfig/cert material greatly expands the blast radius from cloud inventory into cluster-authenticated access, enabling both sensitive data access and follow-on mutation if reused elsewhere.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Secret enumeration is not necessary for migration planning at this level and exposes highly sensitive cluster metadata and, optionally, secret contents. Even listing names, namespaces, types, and keys can materially aid credential discovery and privilege escalation, while include_data can directly disclose secret material.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Pod log retrieval is operational troubleshooting functionality, not migration planning, and may expose credentials, tokens, internal endpoints, customer data, or stack traces. In a planning skill, this is unnecessary privilege expansion that increases the chance of sensitive data disclosure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Binding or unbinding an EIP on the cluster control plane changes public exposure of the Kubernetes API and is unrelated to migration planning. Exposing the API publicly can materially increase attack surface and create network security regressions if used without stringent safeguards.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file exposes write-capable operations such as addon installation, update, uninstall, and live reconfiguration, while the skill metadata describes a read-only migration-planning capability. This capability mismatch is dangerous because an agent or user expecting passive inventory/planning could unintentionally perform destructive or service-affecting changes to production clusters.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bursting addon helper performs direct reconfiguration of a live cluster addon, including network-related fields, despite the skill being framed as migration planning. Changes to addon networking and scheduling behavior can alter workload placement, connectivity, logging, or stability, making this especially risky when invoked under a supposedly assessment-only context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata describes a read-only migration planning capability, but this file includes active cluster mutation operations that create and delete CCE LogConfig custom resources. That expands the tool from inventory/assessment into configuration change, enabling an agent or caller to alter log collection behavior, disrupt observability, or redirect logging in ways users would not reasonably expect from the declared scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file provides broad application and audit log discovery, querying, and analysis features that exceed the stated migration-planning purpose. Because logs often contain sensitive operational details, identities, request metadata, and secrets, this unjustified scope increase creates an unnecessary data-access surface and raises the risk of over-collection or misuse.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements cluster health inspection, anomaly detection, and diagnosis logic, which materially differs from the manifest's stated migration-planning and inventory role. This capability mismatch is dangerous because users or orchestration systems may invoke the skill expecting read-only migration planning, while it actually performs live operational monitoring and produces incident-style outputs that can alter downstream decisions and trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The deep-diagnosis and recovery-plan logic goes beyond migration planning into operational troubleshooting and suggested remediation actions. Even if the code does not directly execute those actions, generating prescriptive recovery steps under a misleading skill identity can cause operators or agents to take unintended production actions based on an inaccurately scoped tool.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The auto-inspection entrypoint performs live monitoring and automatically escalates from quick check to deep diagnosis when anomalies are detected, which is not justified by a migration-planning skill description. In practice, this expands the operational scope, increases cloud API access and data collection, and can trigger unexpected monitoring behavior in production environments without informed user intent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill writes reports, summaries, charts, and persistent history to local disk even though the skill is described as read-only inventory/planning. This breaks the principle of least surprise and can create unauthorized retention of operational or potentially sensitive infrastructure data on the host filesystem.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code generates HPA manifests, which is configuration-authoring functionality outside a migration-planning skill's stated read-only scope. Even if it does not apply the manifest directly, it can steer operators toward infrastructure changes using generated artifacts that may be treated as authoritative.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The implemented action performs capacity forecasting and elasticity optimization rather than the migration inventory and rollback planning advertised in the manifest. This is a capability/scope mismatch that can cause users or orchestrators to invoke the skill under false assumptions, weakening trust boundaries and leading to unintended data collection or output generation.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file contains multiple state-changing operations that create VPCEP endpoints, install/configure the virtual-kubelet addon, and deploy Kubernetes workloads, which directly contradicts the skill's declared read-only migration-planning and inventory purpose. In this context, the mismatch is especially dangerous because users or orchestrators may grant broader trust to the skill based on its metadata and unknowingly allow infrastructure modification and cost-incurring actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal