ClawHub

Huawei Cloud Cce Dependency Impact Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill presents itself as read-only dependency analysis, but the bundled dispatcher can read sensitive cluster data and perform live cloud or Kubernetes changes.

Review carefully before installing. Use only with tightly scoped read-only Huawei Cloud and Kubernetes credentials, and do not expose broad production credentials to this skill unless you intentionally want the bundled administrative actions available. Treat confirm=true actions as capable of changing or disrupting live infrastructure, and avoid using arbitrary report output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (149)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions while instructing execution of local scripts, environment checks, dependency installation, credential use, filesystem access, and networked cloud/API operations. That creates an authority-transparency gap: operators may believe this is a low-risk read-only analyzer, but it can access sensitive environment variables and invoke shell-based behavior with broader capabilities than disclosed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill is presented as a read-only dependency impact analyzer, but the static finding indicates the bundled dispatcher may expose numerous destructive and unrelated actions, including mutation of cloud resources and remediation flows. If true, this is dangerous because a user invoking a seemingly safe analysis skill could accidentally or indirectly trigger high-privilege operations far outside the stated scope, including cluster, node, workload, and alarm changes.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The wrapper exposes destructive operations such as cluster, node, and workload deletion plus scaling/resizing through the exported compatibility aliases, even though the skill is described as a read-only dependency-impact analyzer. In an agent setting, this capability mismatch materially increases the chance that a prompt, tool-selection mistake, or adversarial instruction could trigger state-changing operations against production infrastructure.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill bundles broad cloud inventory, monitoring, IAM/project lookup, kubeconfig retrieval, and infrastructure enumeration capabilities beyond the declared topology-impact-analysis scope. Excess capability widens blast radius for misuse and increases sensitive data exposure if the agent is prompted outside its intended use case.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly states certificates must not be saved to the filesystem, yet `_configure_k8s_client_certificate_files` writes base64-decoded client certificate and private key material to disk for Kubernetes access. Even if intended as temporary files, writing credential material to disk creates exposure through local compromise, race conditions, backups, or incomplete cleanup, and directly violates the stated security constraints.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file materially exceeds the stated skill scope of dependency-impact analysis by exposing create, update, delete, enable, and disable operations for AOM alarms and notification-related resources. In an agent setting, this scope expansion is dangerous because a user invoking a topology-analysis skill could be steered into making state-changing monitoring changes that suppress detection, generate noise, or alter incident response behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code manages AOM action/notification and mute-rule resources even though those capabilities are unrelated to dependency blast-radius analysis. Such controls can be abused to weaken alerting coverage or remove operational visibility, which is especially risky during an incident when users may trust this skill to be observational rather than mutating.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements rollback orchestration against live CCE/Kubernetes workloads, including replacing a Deployment template and submitting the change to the cluster. That is materially different from the declared skill purpose of read-only dependency impact analysis, so invoking the skill could cause unauthorized state-changing actions in an analysis context.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The top-level flow performs diagnosis, chooses a rollback strategy, optionally executes the rollback, waits for recovery, and writes a report. For a skill advertised as dependency-impact analysis, this hidden auto-recovery behavior creates a dangerous mismatch that can trigger operational changes when a caller expects only topology analysis.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code deep-copies a prior ReplicaSet template, assigns it to the Deployment, annotates it, and calls replace_namespaced_deployment, which changes cluster state. In the context of a dependency-impact analyzer, this is an unjustified infrastructure mutation capability that could be abused to roll back services and cause outages or unauthorized releases.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The function writes a generated report to a caller-supplied path without constraining the destination. If an attacker can control output_file, this can overwrite arbitrary files accessible to the process, creating a path-traversal/unsafe file-write primitive in a skill that should not need filesystem write access for its stated purpose.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module advertises itself as remediation orchestration even though the enclosing skill is documented as dependency impact analysis. This scope mismatch is a security issue because it increases the chance that operators or higher-level agents will grant the skill access or invoke it under read-only assumptions while it contains mutation logic.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements broad CCE administration capabilities including cluster/node/workload deletion, scaling, hibernation, EIP binding, secret access, kubeconfig retrieval, and node drain operations, which far exceed the declared dependency-impact analysis purpose. This creates a dangerous scope mismatch: an operator invoking a topology-analysis skill could unknowingly gain destructive and credential-access functionality in the same skill surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill exposes cluster secret enumeration and optional secret data return, which is unrelated to dependency impact analysis and directly enables access to sensitive credentials, tokens, and application secrets. Because this capability is embedded in an analysis-oriented skill, it increases the chance of misuse or accidental exfiltration under a benign-seeming workflow.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Pod log retrieval is outside the declared dependency-topology scope and can expose credentials, PII, API keys, internal URLs, or business data commonly present in application logs. In an analysis skill, this broadens data access beyond what users would reasonably expect from topology mapping alone.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can retrieve and return full kubeconfig and certificate material, which grants cluster API access and can enable full compromise of the target Kubernetes environment. This capability is not justified by dependency impact analysis and represents direct credential access embedded in a misleadingly scoped skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file exposes addon install, update, uninstall, and configuration operations even though the skill is described as dependency-impact analysis and reporting. This capability mismatch is dangerous because an agent or user invoking what appears to be a read-only analysis skill could instead perform live cluster mutations, creating a privilege-expansion and unexpected side-effect risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code includes infrastructure-mutating APIs that are not justified by a dependency-impact analysis use case, including addon creation, update, deletion, and live configuration changes. In the context of an analysis skill, these hidden write paths increase the chance of accidental or unauthorized modifications to production CCE clusters and can be abused to disrupt services or alter monitoring/network behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file materially exceeds the stated purpose of a dependency-impact topology analysis skill by implementing application/audit log discovery plus cluster LogConfig management. That capability expansion is dangerous because it gives an analysis-oriented skill hidden operational reach into observability configuration and sensitive cluster telemetry, increasing the chance of misuse and privilege abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can create and delete CCE LogConfig custom resources, which can change cluster-wide log collection behavior and disable or redirect logs. In a skill advertised for dependency-impact analysis, that is an unjustified write/destructive capability that could be abused to hide activity, impair monitoring, or alter data flow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Querying and analyzing application and audit logs is outside the declared topology dependency-impact scope and exposes potentially sensitive operational data. While read-only, this broad telemetry access enlarges the blast radius of the skill and may let a caller retrieve information they would not expect this skill to access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially diverges from the declared skill purpose of dependency impact and topology blast-radius analysis. Instead, it performs broad cluster health inspection, root-cause inference, and remediation planning, which can cause an agent to invoke the skill under false assumptions and expose much more operational data than the user intended. In a security-sensitive agent environment, this scope mismatch is dangerous because authorization, review, and user consent are usually tied to the declared skill purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code generates concrete operational recovery actions such as scaling workloads and changing CPU limits, even though the skill metadata frames the skill as an analysis tool. Even if the code does not directly execute those actions, producing prescriptive mutation steps can prompt downstream agents or operators to perform risky changes without proper approval boundaries, expanding the skill from read-only analysis into operational change guidance.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implemented skill performs availability-risk scanning, cluster inventory collection, metrics retrieval, and report generation rather than the dependency-impact/topology propagation analysis promised by the manifest. This mismatch is security-relevant because users may invoke the skill expecting scoped topology analysis, but it actually enumerates broad cluster state and writes outputs, expanding data access and operational side effects beyond the declared purpose.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module and function docstrings explicitly advertise an availability risk scanner, directly contradicting the dependency-impact analyzer metadata. In a security-sensitive agent ecosystem, this kind of self-contradiction undermines trust boundaries and can cause operators or orchestrators to authorize broader cluster inspection than intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal