ClawHub

Huawei Cloud Cce Metric Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as read-only metrics analysis, but the shipped runtime exposes broad Huawei Cloud and Kubernetes administration, credential, secret, and mutation capabilities that are not clearly disclosed.

Install only if you are comfortable treating this as a broad Huawei Cloud CCE administration toolkit rather than a read-only metrics skill. Use least-privilege IAM credentials, avoid passing AK/SK as command arguments, review or remove the non-metric dispatcher actions before use, and do not enable secret/kubeconfig export or mutating actions unless you explicitly intend those operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (62)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list contains broad phrases like 'CPU usage', 'memory usage', 'resource metrics', and 'performance monitoring', which can match many generic conversations unrelated to Huawei Cloud CCE. Overbroad activation can route users into a high-capability cloud skill unnecessarily, increasing the chance of unintended credential use, data exposure, or execution of sensitive tooling in the wrong context. This becomes more dangerous because the same skill appears to have access beyond simple metrics, amplifying the consequences of accidental invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function accepts an arbitrary output_file path and writes the generated report there with no path validation, sandboxing, or user confirmation. In an agent setting, this can be abused to overwrite unintended files, drop data into sensitive locations, or perform unauthorized file writes if an attacker can influence the parameter.

Missing User Warnings

High
Confidence
99% confidence
Finding
`get_cce_kubeconfig` returns a full kubeconfig, including client certificate/key material and API endpoint details, directly to the caller with no explicit confirmation, warning, redaction, or scope restriction. In this skill context, that is especially dangerous because the skill is intended for operational metric/cluster management tasks, so exfiltrating reusable cluster access credentials materially expands access beyond the immediate action.

Missing User Warnings

High
Confidence
99% confidence
Finding
`list_cce_secrets` can return Kubernetes Secret contents when `include_data=True`, exposing secret material to the caller without any user-facing warning or confirmation. In a cluster administration skill, this is highly sensitive because secrets commonly contain passwords, tokens, cloud credentials, and TLS keys that enable lateral movement and persistent compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The install function issues a live remote create_addon_instance call that changes cluster state immediately, but it has no explicit confirmation gate, dry-run mode, or user-facing warning. In an agent skill context, this is dangerous because a natural-language prompt or tool-chain mistake can cause unintended addon deployment to production infrastructure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The update function performs a direct update_addon_instance call against a live addon using caller-supplied values, again without confirmation or change-review safeguards. Because addon updates can alter networking, monitoring, or scheduling behavior, an accidental or prompt-injected invocation could disrupt cluster services or weaken security posture.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This function patches live virtual-kubelet/bursting addon configuration, including network, subnet, project, proxy, and log-collection settings, and then immediately submits an update to the cluster. In the stated skill context of metric analysis, this capability is especially risky because it exceeds read-only analysis expectations; a user invoking a monitoring-oriented skill may not anticipate infrastructure mutation, making prompt confusion or abuse more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function can write a full raw Kubernetes/CCE inventory to an arbitrary output directory when include_raw is enabled, and that inventory contains sensitive operational metadata such as workloads, pod placement, labels, services, ingresses, and cluster topology. Even though this is framed as a reporting feature rather than overtly malicious behavior, persisting this data without clear user disclosure, minimization, or access controls increases the chance of unintended data exposure through shared disks, logs, artifacts, or CI workspaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code can persist full raw cloud/API responses to disk when include_raw is enabled, and those responses may contain sensitive infrastructure metadata, configuration details, identifiers, and possibly credential-adjacent data depending on upstream SDK output. In a cloud operations skill, writing unredacted provider responses to user-specified output locations increases the risk of local data exposure, overbroad retention, and accidental exfiltration through logs, artifacts, or shared workspaces.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function returns full kubeconfig material, including cluster access credentials/certificates, directly to the caller and additionally serializes it into YAML for easier reuse. In an agent skill context, this is sensitive credential exfiltration functionality: a prompt or tool invocation can extract administrative cluster access without any secondary confirmation, masking, or explicit high-risk warning.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Binding an EIP to the cluster control plane exposes the Kubernetes API server to the public Internet, materially increasing attack surface for brute force, credential abuse, and control-plane reconnaissance. The operation proceeds without any explicit confirmation gate or security warning, which is risky in an agent-executed environment where users may not understand the exposure change.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code can persist full raw cluster/API responses to disk when include_raw is enabled, with no minimization, redaction, or safety guard. In this skill context, those responses may contain sensitive infrastructure metadata, workload details, and possibly identifiers or configuration data that increase exposure if the output directory is shared, backed up, or readable by other users/processes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function writes a live kubeconfig containing cluster access credentials to a predictable path under /tmp. On multi-user systems or in compromised environments, temporary files may be readable, raceable, or left behind, enabling unauthorized Kubernetes API access far beyond simple diagnostics.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function performs a state-changing cluster operation by patching deployment scale directly, but it has no built-in confirmation, dry-run, authorization gate, or explicit user warning. In an agent skill context, that increases the risk of accidental or prompt-induced operational changes that affect availability and cost.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code explicitly disables TLS certificate verification for Kubernetes API connections by setting verify_ssl = False. In this skill, the connection is used to create, replace, and list HPAs against a live cluster, so a man-in-the-middle attacker could impersonate the API server, steal client credentials/certificates, or tamper with autoscaling operations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The subagent task generator builds shell command strings that include raw access key and secret key values. Passing credentials on the command line is dangerous because they can be exposed via process listings, logs, shell history, task orchestration traces, or downstream agent outputs, and this skill is explicitly designed to fan those commands out to subagents, increasing exposure surfaces.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The auto-subagent mode also constructs shell commands containing plaintext credentials, then returns them as task metadata for automated multi-agent execution. In this context the risk is amplified because automated aggregation and orchestration commonly persist task definitions, execution transcripts, and debug logs, making credential disclosure likely beyond the immediate process.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The prompt formatter includes AK and SK directly in natural-language instructions and the sample execution command. This creates direct secret exfiltration risk because prompts are often visible to users, subagents, telemetry pipelines, and model providers, and unlike a local variable, prompt text is intentionally propagated outward.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code decodes certificate-authority, client certificate, and client private key material from the generated kubeconfig and writes them to temporary files on disk. Although cleanup is attempted in a finally block, the files persist on the filesystem during execution and may remain if the process crashes, be observable by local privileged users, or be recovered from disk-backed temp storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The create_node_pool function performs a state-changing cloud action immediately once called, unlike resize_node_pool and delete_node_pool which require an explicit confirm flag. In an agent-executed skill, this creates a real risk of accidental infrastructure provisioning, cost increase, and environmental drift from ambiguous prompts, prompt-injection, or tool misuse.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The function writes report content to `Path(output_file).write_text(...)` using a fully user-controlled path with no validation, sandboxing, or consent guard. In an agent setting, this can be abused to overwrite arbitrary files accessible to the process, which may corrupt application data, poison configs, or place attacker-chosen content in sensitive locations even though the report itself is not executable.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code writes a self-contained monitoring dashboard to a predictable local HTML file under /tmp, embedding cluster name, pod metrics, and potentially network telemetry without any warning or controls around persistence. In a shared host, container, or support workstation context, other local users, processes, backups, or crash collectors may read these files and gain insight into cluster structure and workload behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The diagnosis report persists richer sensitive content than the dashboard, including workload names, pod status, node IPs, pod IPs, alarm details, and network-chain information, all in a local HTML file. That materially increases reconnaissance value for an attacker or unauthorized insider and can expose operational details long after the report was generated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes report content to a user-controlled output_file path with no validation, restriction, or disclosure. In an agent/automation context, this can overwrite arbitrary files accessible to the process, enabling clobbering of configs, logs, or other sensitive local files if an attacker can influence parameters.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The dispatcher exposes direct actions for pod, application, AOM, and audit log retrieval, which can return highly sensitive operational or secret-bearing content. In an agent skill context, exposing these actions without any access control, redaction hook, or explicit sensitivity gating increases the risk of unintended data disclosure to the caller or downstream LLM components.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal