ClawHub

Huawei Cloud Cce Cost Optimization Advisor

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a read-only Huawei CCE cost advisor, but it ships callable cloud and Kubernetes admin actions that can modify infrastructure and access secrets or logs.

Install only if you intend to grant this package broad Huawei Cloud and Kubernetes administrative capability, not just cost-analysis access. Use a tightly scoped test account or read-only IAM/RBAC where possible, avoid passing secrets on the command line, and review any invocation that can create, update, delete, expose, or roll back cluster resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (149)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill manifest claims read-only cost analysis, but the code explicitly exposes destructive and state-changing capabilities such as delete_cce_cluster, delete_cce_node, delete_cce_workload, resize_node_pool, and scale_cce_workload through the compatibility alias map. Even if not invoked directly in this file, making those operations available inside a cost-optimization advisor materially increases the chance of accidental or unauthorized infrastructure modification and violates the declared trust boundary.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The alias table imports and exposes broad cloud-management functions unrelated to a narrowly scoped cost advisor, including deletion, scaling, networking, storage, IAM, and cluster inspection capabilities. Excess capability increases blast radius if the agent is prompted incorrectly, compromised, or later extended, undermining least-privilege expectations for a read-only advisory tool.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security comments state that credentials and certificates must never be saved to the filesystem, yet _configure_k8s_client_certificate_files writes decoded client_certificate_data and client_key_data from kubeconfig to disk-backed temporary files. Those files can be exposed through weak temp-directory permissions, forensic recovery, crashes before cleanup, or concurrent local access, creating credential leakage risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file exposes multiple state-changing functions for creating, updating, enabling, disabling, and deleting AOM alarm and notification rules, even though the skill metadata promises read-only analysis and suggestions only. In an agent setting, this is a dangerous capability mismatch because a user or downstream orchestrator may trust the manifest and invoke the skill expecting no side effects, but the code can still alter monitoring coverage and operational alerting.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Alarm-rule and notification-rule administration is outside the stated purpose of CCE cost optimization and materially expands the skill's effective privilege surface. This creates a confused-deputy risk where a cost-analysis tool can be repurposed to suppress, alter, or remove monitoring controls, reducing visibility into incidents or policy violations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This code performs an actual Kubernetes Deployment rollback by calling replace_namespaced_deployment after a confirmation flag is set. That directly contradicts the skill metadata claiming read-only analysis and suggestions only, creating a dangerous trust-boundary violation where a user or orchestrator may invoke mutation-capable code under the assumption that it cannot change cluster state.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
auto_remediation_run orchestrates diagnosis, preview, confirmed rollback execution, optional waiting, and report generation, which is well outside a cost-optimization advisor's declared scope. In an agent ecosystem, this scope mismatch is dangerous because the trigger phrases are about cost/billing optimization, yet the code can initiate operational recovery actions against workloads.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The rollout diagnosis helper enables pod log collection and broad diagnostic retrieval, including selectors, event limits, pod counts, and credentialed cluster access, despite the skill being presented as a cost advisor. This unnecessarily expands access to potentially sensitive workload telemetry and application logs, increasing data exposure risk if the skill is invoked under a low-risk cost-optimization context.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The function writes a markdown report to an arbitrary path supplied in output_file without validation or constraint. While not inherently a remote code execution issue, it creates an unnecessary file-write primitive that is unrelated to the advisor's stated purpose and can overwrite local files or place sensitive operational data in unintended locations.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The 'Preview-first' docstring understates the module's real capability because confirmed execution performs live Deployment mutations. Misleading safety labeling is dangerous in agent tooling because operators, policy engines, or reviewers may approve or route the skill based on inaccurate assumptions about non-destructive behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This cost-optimization skill performs materially broader autoscaling diagnostics than its declared scope and collects operational data beyond what is necessary for simple read-only cost advice. That scope expansion increases access to sensitive cluster state and can surprise users or reviewers, especially because pod/log collection may expose operational details unrelated to cost analysis.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code actively fetches and parses cluster-autoscaler pod logs, which can contain sensitive operational information such as errors, infrastructure identifiers, permissions failures, and possibly embedded secrets or tokens from downstream systems. For a cost optimization advisor, this is an unjustified data-access expansion and creates unnecessary exposure of sensitive runtime data.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The skill metadata promises read-only cost optimization analysis, but this file implements numerous state-changing and destructive operations including deleting clusters/nodes/workloads, scaling workloads, draining nodes, hibernating clusters, and changing control-plane exposure. This is a severe scope mismatch: a user invoking a cost advisor could be exposed to mutation-capable actions far outside the declared purpose, increasing the risk of accidental or deceptive infrastructure changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file can retrieve kubeconfig, pod data, namespaces, deployments, events, PVCs/PVs, services, ingresses, configmaps, logs, and other broad runtime information that is not necessary for a cost optimization advisor. This overbroad access expands the blast radius from cost analysis into full cluster reconnaissance and sensitive operational visibility.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The skill includes secret enumeration and can optionally return secret data, which is unrelated to cost optimization and directly enables credential and secret material exposure. In a cost-advisor context, this is especially dangerous because users and orchestrators would not reasonably expect the skill to access high-sensitivity secrets.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Pod log retrieval is a troubleshooting and forensic capability, not a cost optimization function, and logs often contain tokens, credentials, personal data, and internal system details. Adding log access to this skill broadens it into a sensitive observability channel without a purpose-aligned need.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Binding or unbinding a control-plane EIP changes the public network exposure of the Kubernetes API server, which is unrelated to cost optimization and can materially alter the cluster's attack surface. In the context of a read-only advisor, this capability is a major privilege/scope violation with potentially severe security consequences.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file exposes active cluster mutation capabilities—addon install, update, uninstall, and bursting configuration—even though the skill is described as read-only cost optimization analysis only. In an agent setting, this creates a dangerous capability mismatch: a user or prompt path intended for advisory analysis could trigger real infrastructure changes, violating least privilege and increasing the risk of unauthorized or accidental modification.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The addon lifecycle and bursting configuration features are outside the declared purpose of a cost-optimization advisor and materially expand the skill's operational power. This unnecessary capability broadening increases attack surface and makes prompt or routing mistakes far more damaging because the skill can alter cluster software and networking rather than only analyze usage data.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module declares general addon management behavior, which conflicts with the manifest's promise of read-only analysis and recommendations. This inconsistency is dangerous because security controls, reviewers, and users may trust the manifest while the implementation silently retains write operations, enabling unexpected cluster changes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This module provides application-log discovery, audit-log inspection, and log querying features that are unrelated to the declared cost-optimization purpose of the skill. In an agent setting, this scope expansion increases the chance of unauthorized access to operationally sensitive data and violates least-functionality expectations, especially because users may invoke a cost advisor without realizing it can inspect logs.

Description-Behavior Mismatch

Critical
Confidence
100% confidence
Finding
The file implements create and delete operations for CCE LogConfig resources even though the manifest claims the skill is read-only and will not modify workloads or configuration without explicit confirmation. Although a confirm flag is checked, the presence of undisclosed write capabilities in a cost-optimization advisor is highly dangerous because it enables configuration changes that can start or stop cluster log collection, altering observability and potentially disrupting security monitoring.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Audit-log and application-log inspection are context-inappropriate for a cost optimization advisor and expose sensitive operational telemetry such as user identities, request URIs, namespaces, and workload behavior. In this context, the mismatch is dangerous because users and reviewers may grant the skill broad access under the assumption it only performs cost analysis, while it can actually mine security-relevant activity data.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring describes only 'Application log discovery and query helpers' while the file also contains functions to create and delete cluster LogConfig resources. This understatement can mislead reviewers, operators, and automated governance systems about the code’s true capability set, increasing the risk that mutating functionality is approved or deployed without proper scrutiny.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements cluster health/incident auto-inspection and diagnosis workflows, including alarms, crash loops, replica mismatches, ELB traffic anomalies, and operational diagnostics, which is materially broader than the declared cost-optimization advisor scope. This scope mismatch is dangerous because it can cause the agent to collect and act on production operational telemetry the user did not intend to expose under a cost-analysis skill, increasing the risk of unauthorized monitoring and unsafe follow-on recommendations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal