Huawei Cloud Cce Kubernetes Event Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as a read-only CCE event analyzer, but its bundled executable code exposes broad Huawei Cloud and Kubernetes admin actions, including infrastructure changes and credential/secret access.

Review before installing. Use only with tightly scoped Huawei IAM and Kubernetes RBAC credentials, ideally read-only credentials for event queries. Do not install it into an agent environment where arbitrary skill commands may be invoked unless the broad admin dispatcher is removed or restricted, TLS verification is fixed, and credential/secret/log access is explicitly approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (49)

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: The file header presents the skill as a read-only Huawei Cloud query/monitoring wrapper, but the exported aliases include destructive capabilities such as delete_cce_cluster, delete_cce_node, delete_cce_workload, resize_node_pool, and scale_cce_workload. This mismatch is dangerous because users or higher-level agents may authorize the tool under the assumption that it is observational only, enabling unexpected modification or destruction of cloud and Kubernetes resources.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The compatibility alias block exposes broad infrastructure control functions, including cluster deletion, node deletion, workload deletion, node-pool resizing, and workload scaling, while the top-level script still appears to be a general wrapper. In an agent skill context, bundling high-risk control operations with benign inventory/metrics actions increases the chance of accidental or unauthorized destructive execution.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The auto-remediation flow enables `include_logs` by default during rollout diagnosis, which can collect pod logs before the user has explicitly confirmed remediation. Pod logs commonly contain secrets, tokens, internal URLs, stack traces, and customer data, so this creates an unnecessary data-exposure path for a feature whose primary purpose is rollback orchestration. In this context, the skill is operationally privileged and targets production clusters, which makes silent log collection more sensitive rather than less.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill writes a markdown report to an arbitrary local path supplied by `output_file` without validation or scope restriction. This can expose sensitive cluster details and diagnostic content to unintended filesystem locations, and if an attacker can influence the path, it can overwrite files accessible to the running agent account. Because the report may include diagnosis results and action outcomes from a cloud remediation workflow, the local write behavior increases confidentiality and integrity risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill includes a `list_cce_secrets` capability that can enumerate Kubernetes Secrets across namespaces and optionally return their full data via `include_data=True`. In a general CCE management skill, exposing secret inventory and especially secret contents materially expands credential-access capability and can directly enable compromise of workloads, service accounts, registries, and downstream systems.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: `get_cce_kubeconfig` mints fresh cluster client credentials and returns the full kubeconfig, including certificate material, to the caller. That gives broad reusable access to the Kubernetes API well beyond a single bounded operation, effectively turning the skill into a credential-extraction mechanism.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The `get_pod_logs` function can retrieve arbitrary pod logs, which commonly contain secrets, tokens, connection strings, stack traces, and sensitive operational data. In an agent skill with broad cluster reach and no per-namespace or per-workload authorization controls, this becomes a meaningful data-exposure channel.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The function is named and documented as if it merely retrieves an existing kubeconfig, but it actually calls create_kubernetes_cluster_cert to mint new cluster certificate material. In an agent skill context, this is dangerous because a caller may invoke what appears to be a read-only/introspection action and unknowingly generate fresh privileged credentials that are then returned in full, enabling unauthorized cluster access and expanding credential exposure.

Intent-Code Divergence

High

Confidence: 93% confidence
Finding: The docstring says 'Get kubeconfig' but the implementation generates a new cluster certificate with configurable validity, which is a materially more sensitive operation than retrieval. This mismatch can mislead downstream agents, reviewers, or users into treating a credential-issuing action as harmless, increasing the chance of unintended secret generation and disclosure.

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: The file is presented as a diagnosis tool, but it also contains remediation and infrastructure-changing capabilities such as workload scaling and node pool expansion. In an agent-skill context, hidden mutation behind a diagnostic interface is dangerous because a caller may invoke the skill expecting read-only behavior while it can change production capacity and availability.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The scale_workload path retrieves cluster credentials and patches a Kubernetes Deployment scale, which is a privileged state-changing action unrelated to pure diagnosis. In an automation setting, this can be abused to disrupt service, inflate cost, or mask incidents by modifying live workloads.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The huawei_expand_nodepool function exposes direct node pool resizing, giving the skill privileged control over cluster infrastructure. If misused, it can cause major cost increases, capacity shifts, or operational instability in production.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code provides bulk enumeration of Kubernetes Secrets across namespaces and can return secret.data for every secret when include_data is enabled. In an agent skill context, this greatly increases the chance of credential harvesting, large-scale secret exposure, and downstream compromise because the function is packaged as a convenient general-purpose data extractor.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The CPU PromQL for get_cce_node_metrics is malformed because the generated expression is missing a closing parenthesis, which can cause the query to fail at runtime. In addition, the documented node_ip filter may not work as intended, so callers may receive no data or incorrect monitoring results for a target node, weakening operational visibility during troubleshooting or incident response.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: This is a true vulnerability: the function is intended to stop one specific ECS instance, but after creating a stop option containing the target server, it overwrites `body.os_stop` with a new `BatchStopServersOption(type=stop_type)` that omits the `servers` list. In an infrastructure-management skill, malformed or under-scoped destructive requests are dangerous because they can cause unintended shutdown behavior, API misuse, or reliance on SDK/server defaults that may affect more resources than the caller intended.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The function is presented as obtaining LogConfig CRs, but it also generates a temporary Kubernetes client certificate and uses it to connect directly to the cluster API. That broadens the trust boundary and privilege use beyond what the interface suggests, increasing the risk of unintended credential use and surprise access to cluster resources in an automation context.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This code explicitly disables TLS certificate verification on an outbound request to the Huawei Cloud NAT API using `requests.get(..., verify=False, ...)`. That makes the connection vulnerable to man-in-the-middle interception and response tampering, which is especially dangerous here because the code sends authenticated cloud API requests and processes infrastructure inventory data; an attacker could spoof the endpoint, alter returned NAT gateway data, or intercept sensitive metadata.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The finding is valid because the function claims an official/API-aligned implementation but actually performs a manually signed raw HTTPS request and disables TLS certificate verification. Custom auth/signing logic increases the chance of subtle security bugs, and combined with verify=False it enables man-in-the-middle interception or tampering of responses and headers in transit.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The module is presented as a storage failure diagnosis skill but also exposes standalone inventory and collection actions that return storage classes, volume attachments, node stats, and CSI logs. In an agent context, this broadens the data-access surface and enables cluster reconnaissance and sensitive operational data extraction beyond the minimum needed for a diagnosis request.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The snapshot collection function gathers broad cluster and network configuration data, including all pods, nodes, network policies, config/secret metadata references, events, node stats, and CSI logs, even when only a narrow storage diagnosis may be requested. In this skill context that is more dangerous because diagnostics often run with elevated credentials, so overcollection can leak topology, workload, and secret-adjacent information to downstream consumers or logs.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The advertised authentication behavior does not match the implemented code: the script sets token = args.ak as a placeholder and later calls get_ecs_by_ip with the hardcoded value "test", effectively ignoring any real token obtained earlier. This can cause operators to believe authenticated cloud API queries are being performed when the script is actually using invalid credentials and may produce misleading results or unsafe operational decisions.

Credential Access

High

Category: Privilege Escalation
Content: def _configure_k8s_client_certificate_files( configuration: Any, kubeconfig_data: Dict[str, Any], cert_file_path: str, key_file_path: str, ) -> tuple[Optional[str], Optional[str]]:
Confidence: 88% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: cert_file_path: str, key_file_path: str, ) -> tuple[Optional[str], Optional[str]]: """Write client cert/key files from kubeconfig data and attach them to the Kubernetes config.""" user_data = _get_kubeconfig_user_data(kubeconfig_data) cert_file = None key_file = None
Confidence: 90% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: "generate_inspection_html_report": _inspection_mod.generate_inspection_html_report, "generate_monitoring_chart": _common_mod.generate_monitoring_chart, "get_aom_prom_metrics_http": _aom_mod.get_aom_prom_metrics_http, "get_cce_kubeconfig": _cce_mod.get_cce_kubeconfig, "get_cce_addon_detail": _cce_mod.get_cce_addon_detail, "get_cce_node_metrics": _metrics_mod.get_cce_node_metrics, "get_cce_node_metrics_topN": _metrics_mod.get_cce_node_metrics_topN,
Confidence: 83% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: "generate_inspection_html_report": _inspection_mod.generate_inspection_html_report, "generate_monitoring_chart": _common_mod.generate_monitoring_chart, "get_aom_prom_metrics_http": _aom_mod.get_aom_prom_metrics_http, "get_cce_kubeconfig": _cce_mod.get_cce_kubeconfig, "get_cce_addon_detail": _cce_mod.get_cce_addon_detail, "get_cce_node_metrics": _metrics_mod.get_cce_node_metrics, "get_cce_node_metrics_topN": _metrics_mod.get_cce_node_metrics_topN,
Confidence: 83% confidence
Finding: kubeconfig

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal