ClawHub

Huawei Cloud Cce Observability Context Builder

Security checks across malware telemetry and agentic risk

Overview

The skill presents itself as read-only observability tooling but ships under-disclosed cloud and Kubernetes admin actions that can change infrastructure or expose credentials.

Install only if you intend to give this skill broad Huawei Cloud and Kubernetes administrative access, not just read-only observability access. Use least-privilege AK/SK credentials, avoid granting delete/create/scale/createCert/secret-read permissions unless truly needed, review the dispatcher action list before use, and do not run it in production without external confirmation controls and a safe output directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (60)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file declares a hard security requirement that certificates must never be written to disk, yet `_configure_k8s_client_certificate_files` decodes kubeconfig client certificate and private key material and writes both to filesystem paths. Even if intended as temporary files, this creates a credential exposure window through insecure temp-file permissions, host compromise, backup/snapshot capture, or cleanup failure, and it directly violates the stated control boundary.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module presents itself as a read/query wrapper, but the exported aliases include destructive and mutating operations such as cluster deletion, node deletion, workload deletion, scaling, and node-pool resizing. This capability mismatch is dangerous because consumers may grant or invoke the skill under the assumption it is read-only, enabling unauthorized or accidental destructive actions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The module performs rollout diagnosis with include_logs defaulting to true and can persist a generated markdown report to an arbitrary user-supplied output_file path. In an agent skill context, this can expose pod logs, cluster metadata, and diagnostic content to unintended destinations on the local filesystem, increasing the risk of sensitive information disclosure if the caller is untrusted or the environment is shared.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill exposes Kubernetes Secret enumeration and can optionally return secret data contents directly to the caller. Secret objects commonly contain credentials, tokens, API keys, and certificates, so this creates a direct credential-exfiltration capability beyond routine cluster inspection.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This function generates and returns a full kubeconfig, including client certificate material, which grants broad cluster access outside the tool itself. Returning reusable cluster credentials to callers materially increases the risk of credential theft, lateral movement, and persistent unauthorized access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The function generates and returns a cluster kubeconfig, which is effectively a credential granting Kubernetes API access. In an agent skill context, returning this material as ordinary function output is dangerous because downstream components, logs, chat transcripts, or untrusted callers may capture and misuse it, enabling full cluster access depending on the certificate's privileges.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring states EIP metrics are limited to EIPs associated with ELB and NAT gateways, but _get_eip_metrics() calls network.list_eip_addresses() and processes all regional EIPs without filtering. In a monitoring skill, this can cause unintended overcollection and disclosure of infrastructure metadata outside the target cluster scope, violating least-privilege and surprising users about what resources are being inspected.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The docstring says ELB metrics are for ELBs associated with LoadBalancer services, but _get_elb_metrics() enumerates all load balancers in the region via elb.list_elb_loadbalancers() before any correlation. In this skill context, that mismatch expands visibility beyond the requested cluster and may expose unrelated load balancer names, IPs, EIPs, and metrics to callers expecting cluster-scoped results.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file is presented as a diagnosis tool, but `scale_workload` performs a real state-changing action by patching a Kubernetes Deployment's replica count. In a diagnostic context this is dangerous because operators or downstream agents may invoke it expecting read-only behavior, causing unexpected production changes, service disruption, cost increases, or masking the original incident.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The diagnosis tool also exposes `huawei_expand_nodepool`, which delegates to `resize_node_pool` and can change infrastructure capacity. Embedding infrastructure mutation inside a troubleshooting skill materially raises the risk of unintended cloud changes, cost impact, and operational instability when the skill is assumed to be investigative only.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module-level docstring states the analyzer is read-only, but analyze_change_impact() will write report_markdown to a caller-controlled output_file path. This mismatch can mislead operators, wrappers, or higher-level agents into granting broader trust than warranted and may result in unintended filesystem modification.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes state-changing ECS lifecycle operations (stop, start, reboot) in addition to read-only inventory and metrics functions, which expands it from observational cloud tooling into infrastructure control. In an agent context, these actions can be triggered on production instances and cause service interruption, especially because the file metadata provides no clear bounded administrative purpose or authorization model.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file is presented as an LTS log-querying tool, but it also obtains Kubernetes cluster access and enumerates custom resources inside a CCE cluster. That expands scope from cloud log retrieval into cluster-level access, increasing blast radius and exposing users to sensitive operations they may not expect from this skill. The mismatch between stated purpose and actual capabilities makes the behavior more dangerous in agent/skill contexts.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The docstring understates the sensitivity of the function: it does not just read LogConfig CRs, it creates cluster client certificates, disables TLS verification, writes credential material to disk, and probes several CRD API groups. Hidden sensitive behavior is risky because operators may invoke the function without understanding that it performs privileged cluster-authentication steps and broad API probing.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The docstring describes an SDK-style implementation, but the function actually builds a custom signed HTTP request and later disables TLS certificate verification. This mismatch is dangerous because reviewers and downstream users may assume standard SDK security properties and overlook the added attack surface from bespoke signing and insecure transport handling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The generated HTML embeds executable JavaScript from a third-party CDN (jsDelivr) at report view time. If the CDN, dependency, or network path is compromised, anyone opening the report may execute attacker-controlled script in their browser, which is especially risky because the report also renders operational data and may be opened in privileged internal environments.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The function writes generated report content to a caller-supplied local path via `Path(output_file).write_text(...)` without validation, sandboxing, or restriction to a safe output directory. In an agent or automation context, this can enable arbitrary file overwrite/clobbering, which may damage local state, poison downstream workflows, or overwrite sensitive files if the process has sufficient filesystem permissions.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The module presents itself as a storage failure diagnosis skill but also exposes auxiliary inventory and collection actions that enumerate storage classes, volume attachments, node stats, and CSI logs. In an agent setting this expands the capability surface beyond the apparent user task, increasing the risk of unnecessary infrastructure discovery and sensitive operational data exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads Kubernetes Secret metadata as part of config reference collection, even though the main function is diagnosis. While it does not fetch secret values, secret names, namespaces, creation times, and management history are still sensitive inventory data that can aid reconnaissance or reveal internal credential usage patterns.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The diagnosis module can directly inventory cloud security groups and VPC ACLs in addition to storage resources. This broadens the tool from troubleshooting into network reconnaissance, which can expose security topology and increase blast radius if the skill is invoked inappropriately or by a less-privileged workflow.

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The function advertises diagnosis but returns a full raw infrastructure snapshot and markdown report containing broad cluster state, events, annotations, labels, mounts, and logs. That over-returns sensitive operational data relative to the stated purpose and can leak internal topology or workload details to downstream consumers.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script advertises AK/SK authentication support, but the implementation does not actually perform signed AK/SK authentication and instead later substitutes placeholder values. This can mislead operators into believing strong credential-based access is being used when requests may fail, behave unpredictably, or encourage insecure workarounds.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims to use default credentials or project ID for authentication, but no such authentication occurs. Misrepresenting authentication behavior is dangerous because users may run the tool under the false assumption that requests are authenticated, potentially causing unauthorized access attempts, broken security checks, or unsafe operational decisions based on incomplete results.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The function writes a generated report to whatever path is supplied via `output_file` and creates parent directories automatically, with no validation or restriction of the destination. If an untrusted caller can control this argument, the skill can overwrite arbitrary files accessible to the process, which is a path traversal / arbitrary file write risk even though the content is only markdown.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function returns kubeconfig credential material with no explicit user-facing warning or protective friction despite enabling direct external cluster access. In a skill context, that omission makes accidental exposure more likely and lowers the barrier to misuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal