ClawHub

Huawei Cloud Cce Log Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is presented as a log-analysis skill, but it exposes many powerful Huawei Cloud and Kubernetes administration actions that are not clearly disclosed.

Review before installing. Only use this skill if you intentionally want a broad Huawei Cloud/CCE administration toolkit, not just a log analyzer. Use least-privilege test credentials, avoid passing AK/SK directly in prompts or commands, do not enable secret data or kubeconfig retrieval unless absolutely necessary, and consider removing or disabling the undeclared dispatcher actions before using it in a production agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (106)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code collects Cluster Autoscaler pod logs, stores them in the result structure, and can optionally persist the generated report to disk via output_file. Even though the current report only includes a snippet rather than the full raw logs, the function also supports include_raw=True, which can expose the fetched CA logs and other cluster metadata to downstream consumers or files without any redaction, sensitivity warning, or explicit consent boundary. In a log-analysis skill, this is more dangerous because infrastructure logs commonly contain internal topology, error details, tokens, identifiers, or other operationally sensitive data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
get_cce_kubeconfig returns full cluster access material, including client certificate/key-bearing kubeconfig content and a YAML serialization of it, directly to the caller. In an agent skill context, this enables credential exfiltration and privilege transfer far beyond simple log analysis, allowing downstream use of cluster-admin-equivalent access outside the intended tool boundary.

Missing User Warnings

High
Confidence
98% confidence
Finding
list_cce_secrets can return full Kubernetes Secret data when include_data=true, which exposes credentials, tokens, certificates, and application secrets directly through the skill output. In an agent environment, this is a direct secret-disclosure primitive and is especially risky because the surrounding skill is framed for log analysis rather than secret administration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
bind_cce_cluster_eip makes the Kubernetes API publicly reachable by attaching an EIP to the control plane, but it lacks any explicit confirmation or prominent warning about increasing external attack surface. In an agent/tooling context, this can silently convert a private management endpoint into an Internet-exposed one, enabling opportunistic scanning and attack if other controls are weak.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The install_cce_addon function performs a live remote cluster modification by creating a CCE addon instance immediately once called, but it has no explicit confirmation gate, dry-run mode, or user-facing warning. In an agent skill context, this is dangerous because a prompt injection, misunderstanding, or ambiguous user request could cause unintended infrastructure changes to a production Kubernetes cluster.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The update_cce_addon function changes an existing addon configuration and version on a live cluster without any confirmation or safety interlock. Because addon updates can affect cluster networking, monitoring, scheduling, or workload stability, an agent-triggered update based on untrusted instructions could cause service disruption or unauthorized config drift.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The configure_cce_bursting_addon function patches live addon settings, including subnet, network, project, proxy, and log-collection related parameters, and then immediately calls update_addon_instance without explicit confirmation. In this skill context, that is especially risky because the capability is embedded in an analysis-oriented agent; if invoked from loosely scoped requests or adversarial prompt content, it could silently reconfigure cluster bursting/network behavior and impact connectivity, scheduling, or observability.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code explicitly disables TLS certificate verification for the Kubernetes API client (`configuration.verify_ssl = False`) while also retrieving cluster access credentials. This permits man-in-the-middle interception or impersonation of the API server, which is especially dangerous here because the skill can read and modify LogConfig custom resources in a live cluster.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When include_raw is enabled, the function writes the full Kubernetes cluster inventory to disk, including workload metadata, pod placement, service mappings, labels, annotations, and infrastructure topology. In the context of a log-analysis/CCE operations skill, this creates a real information exposure risk because sensitive operational data may be persisted locally without explicit user warning, redaction, access control, or minimization, and could later be accessed by other users, tools, or processes on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When include_raw is enabled, the function writes raw API responses from cluster, node, nodepool, deployment, HPA, metrics, and AOM discovery calls directly to disk. In a cloud/Kubernetes analysis skill, those responses can contain infrastructure metadata, workload names, namespaces, scaling settings, and potentially other sensitive operational details, so persisting them without strong gating, sanitization, or explicit disclosure increases the risk of local data exposure.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The history feature persists cluster analysis records to disk automatically when record_history is true, and history_dir may be derived implicitly from output_dir. Although the stored record is more curated than the raw dump, it still contains cluster identifiers, capacity statistics, elasticity configuration, recommendations, and file locations that may reveal sensitive operational state over time.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function retrieves and returns full kubeconfig material, including client credentials and cluster endpoints, without any confirmation gate, redaction, or user-facing warning. In an agent skill context, this directly enables credential extraction and cluster takeover if invoked by an untrusted or confused user prompt.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Binding a public EIP to the control plane changes the cluster's exposure from private/internal to publicly reachable, but the function performs the action immediately without confirmation or explicit warning. In an agent setting, that makes accidental or prompt-induced security posture changes much more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function can persist detailed cluster analysis data and, when include_raw is enabled, raw node, pod, deployment, HPA, and metric responses to an arbitrary output directory without any built-in warning, redaction, or minimization. In the context of a Kubernetes/CCE analysis skill, these files may expose sensitive operational metadata such as cluster inventory, namespaces, pod names, node IPs, autoscaling posture, and usage patterns if written to shared disks, CI workspaces, or other accessible locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The scale_workload function performs a state-changing Kubernetes operation by patching a deployment's replica count, but this file provides no built-in user-facing confirmation, dry-run, or explicit safety gate before execution. In an agent skill context, that omission is dangerous because a natural-language request or misrouted automation can trigger production scaling changes that affect availability, cost, or incident state.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code writes kubeconfig material to a predictable file in /tmp, which can expose cluster access credentials or tokens to other local users, processes, or forensic residue on shared systems. Because kubeconfig grants direct cluster access, insecure temporary storage materially increases the risk of credential theft and subsequent cluster compromise.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This workflow writes kubeconfig to /tmp and then immediately uses it to authenticate a mutating Kubernetes API call that scales a workload. That combination is especially dangerous because leaked kubeconfig credentials could be reused by another local actor to perform arbitrary cluster administration, not just read-only diagnostics.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The subagent task generators build user-visible command strings that embed raw `ak` and `sk` values directly into the command. This exposes cloud credentials to logs, UI surfaces, transcripts, shell history, and any downstream agent or operator that can view the generated task, enabling full credential reuse beyond the intended inspection scope.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
`format_subagent_prompt` includes raw access keys and secret keys in natural-language prompt text and in the rendered execution command. Prompts are commonly persisted in agent traces and visible to other tools or humans, so this creates an unnecessary secret disclosure channel that can lead to cloud account compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code base64-decodes a client certificate and private key from the cluster credential response and writes them to predictable files under /tmp. Although cleanup is attempted, these files may persist on exceptions, be exposed to other local processes if permissions are not tightly controlled, or be abused via symlink/race conditions depending on runtime environment. In a cloud/Kubernetes admin skill, these materials are highly sensitive because they grant cluster access.

Missing User Warnings

High
Confidence
98% confidence
Finding
The list_cce_secrets function can return Kubernetes Secret data verbatim when include_data=True. That exposes base64-encoded secret contents such as credentials, API tokens, and keys to any caller of the skill, which is especially dangerous because this skill is explicitly designed for log/cluster analysis rather than secret extraction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function performs a live remote infrastructure mutation by creating a CCE node pool immediately when called, but unlike the resize and delete flows it does not require an explicit confirmation gate or provide a user-facing destructive/cost warning before execution. In an agent skill context, that inconsistency increases the risk of unintended cloud resource creation, billing impact, and environment drift from prompt ambiguity, tool misuse, or prompt injection driving the agent to invoke the function prematurely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function writes report content to a user-controlled path via Path(output_file).write_text(...) with no path validation or sandboxing. If an attacker can influence output_file, they may overwrite arbitrary files accessible to the process, causing data loss, corruption, or placement of attacker-chosen content in sensitive locations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The helper automatically pulls Huawei access credentials from environment variables without any explicit user disclosure, consent boundary, or indication that ambient secrets will be consumed. In an agent/skill context, this is dangerous because users may trigger seemingly read-only log analysis while the skill silently escalates to authenticated cloud access using whatever credentials are present in the runtime.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code uses discovered credentials to make live IAM API calls to enumerate projects and cache project IDs, again without any user-facing disclosure. In this skill's context, that means a log-analysis tool can silently perform authenticated account discovery against Huawei Cloud, expanding scope from local analysis to cloud reconnaissance and potentially exposing account structure or enabling unintended access patterns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal