Huawei Cloud Cce Daily Cluster Inspector

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as read-only cluster inspection, but its bundled dispatcher exposes many administrative actions that can change or delete cloud and Kubernetes resources.

Install only if you intend to grant this skill broad Huawei Cloud and Kubernetes administrative power, not just read-only inspection. Use least-privilege IAM/RBAC credentials, avoid credentials that can delete or mutate clusters, and do not allow automated agents to invoke actions outside the documented inspection list without explicit human review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (135)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This inspection-labeled skill rebinds destructive functions such as delete_cce_cluster, delete_cce_node, delete_cce_workload, resize_node_pool, and scale_cce_workload into its callable surface. In a skill explicitly described as read-only daily inspection, exposing mutation primitives creates a dangerous mismatch between user expectations and actual capability, increasing the risk of accidental or unauthorized destructive actions.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The presence of dangerous-operation confirmation state and TTL-based approval logic shows that this script is designed to support mutation workflows despite the skill being marketed as inspection-only. Even with confirmation, these helpers normalize unsafe operations in a low-risk context and may be abused if the surrounding dispatcher exposes them.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The security comments state that credentials and certificates must never be written to disk, yet the code path later decodes client_certificate_data and client_key_data from kubeconfig and writes them to files. Temporary files can be exposed via weak filesystem permissions, crashes before cleanup, or other local processes, resulting in credential theft and cluster compromise.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: This skill is explicitly described as a read-only daily cluster inspection tool, yet it exposes write-capable functions to create, update, enable, disable, and delete AOM alarm and action rules. That creates a dangerous capability mismatch: an operator or downstream agent invoking an ostensibly safe inspection skill could silently modify monitoring controls, suppress alerts, or remove notification paths.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The file includes broad monitoring configuration management capabilities that are not justified by the stated use case of low-risk periodic inspection. Even where confirm flags are present, bundling privileged modification routines into an inspection skill expands the blast radius and makes accidental or policy-bypassing misuse much more likely.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This file performs a live Kubernetes Deployment mutation via `replace_namespaced_deployment`, enabling rollback of workloads in a skill explicitly described as read-only daily inspection. Even though it is preview-first and gated by `confirm=true`, the capability is still embedded in the inspection skill, so a caller can trigger state-changing remediation through a context that should only permit observation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: `auto_remediation_run` orchestrates diagnosis, rollback preview/execution, optional waiting, and report generation inside a low-risk inspection skill. This violates least privilege and increases the chance that a routine health-check workflow escalates into production changes, especially if upstream agents auto-select this skill based on inspection-related triggers.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The module docstring says 'Preview-first CCE remediation orchestration,' which understates that the module can execute real rollback mutations when `confirm=true`. In a security-sensitive agent ecosystem, misleading safety framing can cause operators or higher-level planners to trust the module as mostly non-destructive, increasing the risk of unsafe invocation.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The function collects Cluster Autoscaler pod logs and performs forensic parsing, which can expose operationally sensitive cluster and workload data not implied by a 'daily health-check' or 'heartbeat summary' skill. In this skill context, hidden log access is more dangerous because users may reasonably expect lightweight inspection, while logs can contain identifiers, scheduling details, errors, and infrastructure metadata.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code writes a markdown report to an arbitrary filesystem path supplied by the caller, which violates the skill's read-only operational promise and creates a file-write primitive. If an attacker can influence output_file, this could overwrite local files, plant data in sensitive locations, or persist collected cluster information on disk.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: The skill metadata explicitly frames this skill as a low-risk, read-only daily inspection tool, but this function performs permanent cluster deletion. That mismatch is security-relevant because agents or users may invoke the skill under false assumptions, leading to destructive actions in a context that should never mutate infrastructure.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This function deletes cluster nodes even though the skill is described as read-only inspection. Such hidden mutation expands blast radius beyond expected usage and could disrupt workloads or availability if an agent trusts the manifest and calls the tool during routine health checks.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: Resizing node pools changes cluster capacity, billing, and workload placement, which directly contradicts the stated low-risk inspection purpose. In an agentic environment, this kind of scope deception can cause unintended infrastructure changes from seemingly safe operational prompts.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: Scaling workloads mutates live Kubernetes resources and can change service availability, cost, and application behavior. Including it in a read-only inspection skill creates dangerous hidden authority because downstream orchestrators may select this skill precisely because its manifest promises non-mutating behavior.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This function modifies replicas and container resource requests/limits, which is a substantial live-configuration change inconsistent with a daily inspection tool. The danger comes from privilege expansion through mislabeling: a caller expecting telemetry-only behavior could unintentionally trigger production changes.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: Deleting Deployments or StatefulSets is highly destructive and plainly incompatible with a read-only cluster heartbeat or inspection role. Because the manifest advertises safety, this discrepancy materially increases the chance of accidental or policy-bypassing destructive use.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Hibernating or waking a cluster changes runtime state, workload availability, and billing, so it is not compatible with a read-only health-check skill. This broadens the skill from observability into control operations under misleading packaging, which is dangerous in automated agent selection contexts.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: Cordon, uncordon, and drain are active scheduling and eviction operations that affect workload placement and availability. Presenting them inside a read-only inspection skill makes the skill materially more dangerous because even a benign 'check node status' workflow can expose hidden mutation capabilities.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Binding or unbinding a control-plane EIP alters public exposure of the Kubernetes API server, which is a sensitive network/security change. That is far outside the declared read-only inspection scope and can inadvertently expose or disrupt cluster management access.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Returning kubeconfig and client certificate material grants reusable cluster access credentials, which is far beyond what a daily inspection tool should expose. In this context, the mismatch is especially dangerous because credential exfiltration can enable direct cluster control outside the skill's intended workflow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This function can enumerate Kubernetes Secrets and optionally return secret contents, which is not justified by a heartbeat or health-check use case. Exposing secret material materially increases the risk of credential theft, lateral movement, and compromise of applications integrated with the cluster.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Pod log access is broader than a quick health-check purpose and may expose sensitive application data, tokens, stack traces, or PII. While logs can be operationally useful, unrestricted retrieval in a low-risk inspection skill expands data-exposure scope beyond what the manifest suggests.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This file contains multiple mutating operations—addon install, update, uninstall, and live configuration changes—even though the skill is described as a read-only daily inspection tool. That mismatch is dangerous because users or higher-level agents may invoke the skill under false assumptions, leading to unauthorized or accidental production changes in a sensitive cluster-management context.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The bursting addon configuration function modifies network- and scheduling-related parameters for a live CCE addon, which is far beyond the stated scope of heartbeat or daily health inspection. In a cluster environment, changing subnet, VPC-related, or scheduling settings can disrupt workloads, alter connectivity, or create unintended exposure paths.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module docstring explicitly frames the file as addon management, which conflicts with the surrounding skill metadata claiming read-only inspection behavior. This inconsistency increases the risk of unsafe tool exposure because operators and orchestrators may trust the manifest while the implementation includes privileged write actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal