ClawHub

Huawei Cloud Cce Network Failure Diagnoser

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as a read-only network diagnoser, but its packaged dispatcher exposes under-disclosed cloud and Kubernetes administration actions that can change or delete resources and expose sensitive cluster data.

Treat this as a Review install. Only use it with a tightly scoped read-only Huawei Cloud/Kubernetes identity, and do not grant permissions that allow cluster deletion, workload mutation, addon management, AOM rule changes, kubeconfig export, or Secret reads unless you intentionally want those admin capabilities from this package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (244)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script’s exported aliases include destructive CCE operations such as cluster, node, and workload deletion plus scaling/resizing, even though the skill is presented as a network diagnosis tool. In an agent setting, this scope expansion is dangerous because a user invoking a diagnostic skill could indirectly gain infrastructure-modifying capabilities that can cause outages or data loss.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill exposes broad cloud inventory and monitoring functions across ECS, EVS, IAM, AOM, ELB, and VPC that exceed the declared network-failure diagnosis scope. While not inherently destructive, this increases the blast radius of prompt misuse and can disclose unnecessary environment metadata to users or downstream components.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Deletion and scaling functions are unjustified in a diagnosis-focused skill and create a direct path from troubleshooting to service disruption. Even with in-memory confirmation logic elsewhere, simply exposing these capabilities through the skill interface materially increases the risk of accidental or induced destructive actions.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The module docstring claims the wrapper is for querying resources and monitoring data, but the code also binds deletion and scaling operations. This mismatch is dangerous because reviewers, operators, or policy systems may trust the declared read-only purpose and overlook hidden write/destructive behavior.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a CCE network failure diagnoser, but this file includes broad AOM administrative capabilities such as creating, updating, enabling, disabling, and deleting alarm and action rules. This creates dangerous scope mismatch: a user invoking a diagnostic skill could be exposed to infrastructure-modifying operations that can suppress monitoring, alter alerting behavior, or remove operational safeguards.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Deleting AOM action rules directly affects notification delivery and can silently disable alert routing, which is unrelated to network diagnosis. In the context of a troubleshooting skill, this is especially risky because it enables an operator or compromised workflow to degrade detection and incident response under the guise of diagnostics.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Alarm-rule and mute-rule administration exceed the stated diagnostic purpose and allow suppression, disabling, or alteration of monitoring behavior. Although some functions use confirmation flags, they still embed security-sensitive control-plane actions in a troubleshooting tool, increasing the chance of accidental misuse or abuse.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file is part of a network diagnosis skill, but it includes code that can replace a Deployment's PodTemplate and submit a rollback to the Kubernetes API. That is a real capability expansion from diagnosis into mutation of production workloads, which materially increases risk if the skill is invoked unexpectedly, mis-scoped, or supplied attacker-influenced parameters. The preview/confirm gate helps, but it does not eliminate the core issue that a diagnostic skill can perform privileged state-changing operations.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The auto-remediation entrypoint orchestrates diagnosis, rollback preview/execution, waiting for recovery, and report generation, which exceeds the manifest's stated network-failure diagnostic scope. In an agent setting, this mismatch is dangerous because users or upstream tooling may authorize the skill expecting observation-only behavior while it can actually change cluster state. Scope drift in a privileged cloud/Kubernetes skill is a genuine security issue even without overtly malicious code.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The code writes a markdown report to any path provided in output_file without path restrictions, sandboxing, or disclosure. If an attacker can influence params, this can overwrite arbitrary files accessible to the process, which is especially risky in automation environments where credentials, configs, or startup files may be writable. The issue is not the report itself but the unrestricted file-write primitive embedded in a cloud diagnostic skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements CCE autoscaling diagnosis, but the enclosing skill is presented to users as a network-failure diagnoser. This scope mismatch is dangerous because it can cause the agent to collect unrelated sensitive cluster data such as pod logs, events, workloads, and metrics under a misleading trigger/context, violating least surprise and potentially expanding access beyond what the user intended.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring explicitly states that the code performs autoscaling diagnosis, which contradicts the documented network-diagnosis purpose of the surrounding skill. This inconsistency is a security-relevant signal because it indicates hidden or unintended capability in the package, increasing the risk that operators or users authorize execution under false assumptions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This skill is advertised for CCE network diagnosis, but the file contains broad administrative and destructive capabilities including cluster deletion, node deletion, workload deletion, scaling, hibernation, EIP binding, and node drain/cordon operations. That scope mismatch is dangerous because a user or higher-level agent invoking a 'diagnosis' skill could unintentionally perform irreversible state changes and outages far beyond troubleshooting.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can retrieve and return a full kubeconfig, including client credentials and cluster endpoints, even though that capability is not necessary for network diagnosis. Exposing a kubeconfig materially increases the blast radius because it grants reusable cluster access that can be exfiltrated, reused outside the tool, or abused by downstream components.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill lists ConfigMaps and Secrets and can optionally return their raw contents, which exceeds the stated network-diagnosis purpose and directly exposes sensitive application and infrastructure data. Secret values often contain credentials, tokens, certificates, and connection strings that enable lateral movement or full environment compromise.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Arbitrary pod log access broadens this skill from network diagnosis into application observability and data exposure. Logs frequently contain secrets, tokens, PII, internal URLs, stack traces, and business data, so unrestricted retrieval creates an unnecessary exfiltration path.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file includes addon lifecycle and reconfiguration operations that can install, update, delete, and reconfigure live CCE cluster components, which materially exceeds a network-diagnosis skill's stated read-only troubleshooting purpose. In this context, capability overreach is dangerous because a caller expecting diagnostics could instead trigger privileged state changes to production clusters.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can install and uninstall CCE addons even though its declared purpose is diagnosing network failures. Those operations permit remote modification of cluster state and could be abused to disrupt workloads, alter observability, or introduce unintended components under the guise of troubleshooting.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The bursting addon configuration routine rewrites live addon values such as subnet, VPC-related network identifiers, project fields, and scheduling/logging options. For a network-diagnosis skill, this is especially risky because it changes the very cluster networking configuration being investigated and could cause outages, misrouting, or policy drift.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file materially exceeds the declared scope of a network-failure diagnosis skill by implementing broad application log discovery, audit-log querying, and log analysis workflows. In an agent-skill setting, scope expansion increases privilege exposure and enables access to operational and security-sensitive data that users would not reasonably expect from a network diagnoser.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can create and delete LogConfig custom resources, which are state-changing administrative actions rather than read-only diagnosis. In this skill context, that is especially dangerous because a user invoking network troubleshooting could be induced to modify cluster-wide log collection, disrupt observability, or redirect logs without understanding the administrative impact.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Querying and analyzing Kubernetes audit logs goes beyond narrow network-failure diagnosis and exposes security-relevant telemetry about users, verbs, resources, namespaces, and API activity. While read-only, this broadens surveillance capability and can leak sensitive operational metadata if the skill is invoked in a lower-trust context.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The module advertises and implements broad auto-inspection for generic cluster health, resource pressure, scaling, CrashLoop, and deployment state rather than being constrained to network-failure diagnosis. In an agent skill, this scope expansion can cause the agent to collect and reason over unrelated cluster state, violating least privilege and enabling unintended operational recommendations outside the declared manifest purpose.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The quick-check path performs workload and resource-health analysis including pod CPU, CrashLoopBackOff, and deployment replica mismatch, which are not network-specific. Because quick checks are likely to run frequently and automatically, this broadens data access and can trigger misleading or unsafe follow-on actions unrelated to a network incident.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The deep-diagnosis path gathers generic cluster diagnostics such as alarm analysis, memory TopN, deployments, nodes, and events, which exceed the stated network-failure purpose. In the context of an agent skill, this creates unnecessary exposure of operational metadata and increases the chance that the agent produces remediation advice affecting workload scaling or resource tuning rather than network troubleshooting.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal