ClawHub

Huawei Cloud Cce Node Failure Diagnoser

Security checks across malware telemetry and agentic risk

Overview

The skill is framed as a read-only Huawei CCE node diagnoser, but the package exposes broader cluster administration, secret retrieval, kubeconfig export, and weak credential-handling paths.

Review before installing. Use only least-privileged, preferably read-only Huawei Cloud credentials; avoid production cluster-admin credentials; do not invoke undocumented dispatcher actions; treat generated reports, logs, kubeconfigs, and raw outputs as sensitive; and run it only in an isolated workspace where temporary files and report paths cannot expose secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (74)

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to output a complete Markdown diagnosis report in Chinese and to '最终只输出 Markdown 诊断报告', which can override user language or format preferences. This is a policy/control issue rather than code execution, but it can degrade usability, cause instruction conflicts, and make the agent less responsive to user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The remediation flow enables rollout diagnosis with logs by default via `include_logs=_to_bool(params.get("include_logs"), True)`, which can collect and return pod logs and related diagnostics without an explicit opt-in or prominent warning. In this skill context, rollout logs may contain secrets, tokens, internal endpoints, stack traces, or customer data, so automatic collection increases confidentiality risk, especially when the tool is triggered for operational diagnosis rather than forensic data extraction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code fetches Cluster Autoscaler pod logs and incorporates log content/snippets directly into evidence and the generated markdown report. Pod logs can contain sensitive operational data such as internal hostnames, cloud API errors, IAM details, tokens accidentally logged by components, or workload metadata, and this code does not redact, gate, or warn before exposing them.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function writes the generated report to an arbitrary caller-supplied filesystem path with no validation, sandboxing, or warning. If an attacker can influence output_file, they may overwrite sensitive files, drop data into privileged locations, or persist sensitive diagnostic content in unintended places, especially if the process runs with elevated permissions.

Missing User Warnings

High
Confidence
99% confidence
Finding
`get_cce_kubeconfig` returns the full kubeconfig structure and also serializes it to YAML, which includes live client certificate/key material usable to authenticate to the cluster. In a skill context, returning this directly to the caller creates a credential exfiltration path and can grant broad cluster access well beyond diagnostics.

Missing User Warnings

High
Confidence
98% confidence
Finding
`list_cce_secrets` can return full Secret `data` when `include_data=True`, exposing Kubernetes secrets directly to the caller. In an agent skill, this is especially dangerous because secrets often contain passwords, API tokens, TLS keys, and cloud credentials, making credential theft trivial.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function installs a CCE addon by calling create_addon_instance immediately after parameter validation, with no explicit confirmation flag, dry-run mode, or user-facing warning that this is a state-changing cluster operation. In an agent skill context, this is dangerous because a user asking for diagnosis could trigger unintended infrastructure modification, expanding blast radius from read-only inspection to live cluster changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The update function performs a live addon configuration/version change through update_addon_instance without any explicit confirmation or safety interlock. Because this skill is described as a node failure diagnoser, embedding write-capable update behavior increases the risk that an automated agent or confused user performs disruptive changes while intending only to inspect node health.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This function fetches current addon state, patches networking and scheduling-related values, and pushes the new configuration to the live cluster via update_addon_instance with no explicit confirmation. Reconfiguring bursting, subnet, proxy, or log collection settings can directly affect scheduling and network behavior, so silent execution by an agent is particularly risky and can cause service disruption or unexpected exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code explicitly disables TLS certificate verification for Kubernetes API access by setting verify_ssl to False. In a cluster-diagnostic skill that fetches short-lived client certificates and talks to the control plane, this enables man-in-the-middle attacks against the Kubernetes API endpoint, potentially exposing cluster credentials and allowing tampering with API responses.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The audit log query path returns parsed events plus raw audit payloads, request URIs, source IPs, usernames, and user agents directly to the caller without redaction or sensitivity warnings. Audit logs commonly contain sensitive operational metadata and sometimes tokens, object names, or request details that can aid reconnaissance or expose privileged activity patterns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function writes full scan outputs to an arbitrary user-supplied directory, and when include_raw is enabled it persists detailed cluster inventory including nodes, pods, labels, services, ingresses, and potentially sensitive infrastructure metadata. In a diagnostic skill context, this creates a real confidentiality risk because operators may run the skill on shared hosts, CI runners, or agent environments where disk artifacts are retained, indexed, or accessible to other users without any explicit warning or minimization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes reports, summaries, HTML, SVG, raw API responses, and history records to a caller-controlled output/history directory without any built-in consent gate or sensitivity filtering. In this skill context, those artifacts can contain cluster topology, deployment names, autoscaling configuration, node metrics, and potentially raw cloud responses, creating an unnecessary local data exposure risk if stored on shared hosts or insecure paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The get_cce_kubeconfig function returns full kubeconfig material, including client certificates/tokens and server endpoints, with no explicit confirmation, warning, masking, or least-privilege control. In an agent skill context, this can expose cluster-admin access material to the caller or downstream logs/transcripts, enabling unauthorized Kubernetes API access if mishandled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bind_cce_cluster_eip function enables public exposure of the Kubernetes control plane by attaching an external EIP, but it does so without any confirmation gate or explicit risk warning. In this skill context, that can materially increase attack surface and permit accidental internet exposure of a sensitive administrative endpoint.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When include_raw is enabled, the function writes raw API responses for nodes, pods, deployments, HPAs, and metrics directly to disk. In this cluster-diagnostics context, those files can contain sensitive operational metadata and workload details, and the code provides no consent prompt, redaction, or output-path restrictions before persisting them.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The code writes summary and Markdown report artifacts to a caller-supplied directory without any disclosure or guardrails. Although less sensitive than full raw responses, these reports still contain cluster identifiers, namespace information, utilization data, and recommendations that may expose internal infrastructure details if written to an unsafe location.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code writes a live kubeconfig obtained from cloud APIs to a predictable file under /tmp, which is a shared, world-accessible location on many systems and commonly targeted for credential theft. In this skill’s context, that kubeconfig can grant cluster access, so any local user, co-tenant process, symlink attack, or leftover file exposure could lead to unauthorized access to the Kubernetes cluster.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function performs a state-changing operation by patching deployment scale directly, without any built-in confirmation, dry-run, authorization gate, or user-warning in the function itself. In an agent skill, that is dangerous because a diagnosis workflow can unexpectedly mutate production workloads, causing outages, cost changes, or masking the original incident.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The code persists an inventory of abnormal node IPs to disk under a fixed report directory without notifying the user or minimizing retention. While less severe than credential leakage, infrastructure inventory can aid reconnaissance by revealing internal node addresses and failure state to other local users or later processes.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code explicitly disables TLS certificate verification for Kubernetes API connections with `configuration.verify_ssl = False`. This permits man-in-the-middle interception of the cluster API session, allowing an attacker on the network path to spoof the API server, capture client-certificate-authenticated requests, or tamper with HPA operations and returned cluster data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The subagent task generator builds shell command strings that directly include `ak` and `sk`, which exposes cloud credentials to logs, process listings, debugging output, downstream agents, and any UI that displays the generated command. In this skill’s context, the credentials are highly sensitive because they grant access to Huawei Cloud resources used for cluster inspection, so plaintext propagation materially increases the risk of account compromise.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The generated subagent prompt explicitly prints `ak` and `sk` in the prompt body and command example, causing direct secret disclosure to any subagent, transcript, log sink, or human reviewer of the prompt. Because this skill is designed to orchestrate other agents, prompt-level credential disclosure is especially dangerous: it unnecessarily broadens secret exposure across agent boundaries and can lead to reuse or exfiltration.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The Kubernetes client explicitly disables TLS certificate validation with `configuration.verify_ssl = False`, which permits man-in-the-middle interception or redirection of API traffic to an attacker-controlled endpoint. In this skill, the client then uses short-lived client certificates to query cluster resources, so disabling server authentication undermines the trust model for all subsequent cluster reads and can expose sensitive operational data or credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
`list_cce_secrets` can return Kubernetes Secret contents when `include_data=True`, with no guardrails, redaction, or warning. Since Kubernetes Secrets often contain API keys, tokens, passwords, and certificates, this creates a direct secret-exfiltration path to any caller able to invoke the skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal