ClawHub

Huawei Cloud Cce Ops Report Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a read-only Huawei Cloud CCE report generator, but the packaged dispatcher exposes many live infrastructure and monitoring mutation actions.

Review carefully before installing. Use only least-privilege read-only Huawei Cloud credentials if you need reports, and do not expose this skill to autonomous workflows that could call arbitrary dispatcher actions. Treat it as a broad CCE administration bundle unless the publisher removes or isolates the write-capable actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (139)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This report-generation skill exposes destructive cluster-management primitives via the compatibility alias map, including delete and resize/scale operations that are unrelated to generating ops reports. In an agent setting, this unnecessarily expands the action surface and could let a prompt, workflow bug, or downstream module trigger destructive infrastructure changes under the guise of reporting.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code binds deletion and scaling capabilities such as delete_cce_cluster, delete_cce_node, delete_cce_workload, resize_node_pool, and scale_cce_workload into a tool advertised for consolidated reporting. That mismatch between declared purpose and actual capability makes accidental or malicious misuse much more likely, especially in autonomous or semi-autonomous agent workflows.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The security comments state that authentication material must never be saved to the filesystem, but the code later writes client certificate and key material derived from kubeconfig to temporary files for Kubernetes client use. Even if cleanup is attempted, temporary-file storage creates a window for disclosure through weak file permissions, crashes before cleanup, or other local-process access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file belongs to a report-generation skill, but it includes broad state-changing administration functions such as creating, updating, enabling, disabling, and deleting AOM alarming resources. That is a dangerous capability mismatch: a user invoking a reporting skill could be induced to perform production monitoring changes, weakening alerting or deleting controls under the guise of reporting.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The module exposes monitoring configuration management unrelated to generating reports, including creation of event alarms and administration of action/mute rules. In the context of a reporting-focused skill, these extra capabilities expand the blast radius and create an opportunity for hidden or accidental modification of alerting pipelines.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can delete AOM notification/action rules, which can silently break alert routing and suppress operator visibility during incidents. For a report generator, this is unjustified destructive power and materially increases the risk of abuse, accidental deletion, or social-engineering-driven sabotage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can enable, disable, and delete AOM alarm rules, directly affecting whether critical monitoring fires. In a reporting context, these actions are not necessary and could be exploited to suppress alerts, hide outages, or degrade incident response while appearing to be a harmless reporting workflow.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file contains rollback orchestration that can change live Kubernetes Deployment state, despite the skill being declared as a report generator. In this context, hidden or undocumented state-changing capability is dangerous because a user invoking a reporting skill could unintentionally trigger operational remediation against production clusters if confirmation handling is bypassed elsewhere or integrated unsafely.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The main orchestration entrypoint performs diagnosis, rollback execution, recovery polling, and file output, which exceeds the documented purpose of generating reports. This mismatch increases the chance that higher-level agents or users will trust the skill as read-only while it actually contains write-side operational behavior, creating a privilege and expectation gap.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Kubernetes rollback capability is not appropriate inside a report-generation skill because it enables mutation of workloads in an unexpectedly powerful context. Even with a preview-first design, embedding this capability where users expect reporting materially raises the risk of accidental or policy-violating production changes.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Recovery polling, rollout diagnosis, and optional log collection are incident-response capabilities that go beyond simple report generation and may expose sensitive operational data such as pod logs and failure context. In a reporting skill, this broadens the accessible data surface and can lead to overcollection or unauthorized troubleshooting actions under a benign-seeming interface.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module explicitly describes itself as remediation orchestration while the skill metadata presents a report generator, indicating a scope and disclosure mismatch. Such mismatches are security-relevant because agent frameworks, reviewers, and users may assign trust and permissions based on the manifest rather than the actual code behavior.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This file implements a full live troubleshooting workflow for CCE autoscaling, including cluster state collection, event inspection, HPA/CA diagnosis, and report generation from runtime data. That exceeds the declared ops-report-generator scope and creates a dangerous capability expansion: invoking the skill can trigger broad operational discovery against a cluster, increasing the risk of unauthorized reconnaissance and sensitive operational data exposure.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code actively locates Cluster Autoscaler pods in kube-system and fetches their current or previous logs, then parses them for failures, permissions, quotas, and infrastructure signals. kube-system logs can contain sensitive cluster topology, workload names, internal errors, and cloud-account details, so silently pulling them for a reporting skill is an intrusive diagnostic action with meaningful disclosure risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The function collects live top-N pod and node metrics from the cluster even though the skill is presented as a report generator rather than a live observability probe. This broadens data access and can expose workload names, resource consumption patterns, and operational hotspots without clear scope justification or disclosure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file exposes destructive cluster and workload control capabilities including deleting clusters, deleting nodes, scaling workloads, draining nodes, modifying resources, hibernating clusters, and binding public endpoints. Those actions are far beyond the declared scope of a report-generation skill, so the skill materially expands operational blast radius and could be abused to disrupt infrastructure or change security posture.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The get_cce_kubeconfig function returns full kubeconfig material, including client credentials and endpoint details, directly to the caller. In a reporting context this is unnecessary credential exposure that can grant downstream API access to the Kubernetes cluster.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Pod log retrieval provides troubleshooting and data-access functionality beyond consolidated reporting, and pod logs frequently contain secrets, tokens, internal URLs, stack traces, or user data. Exposing this in a reporting skill increases unauthorized access to sensitive runtime information.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file contains multiple cluster-mutating addon management capabilities, including install, uninstall, update, and network reconfiguration, even though the skill is described as a report generator. That mismatch materially increases the risk that a reporting workflow could be abused to make unauthorized infrastructure changes, violating least privilege and expanding the attack surface far beyond read-only reporting.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill exposes addon install, uninstall, and update operations that can directly modify live cluster state, despite having no clear relationship to report generation. In the context of an agent skill, such hidden administrative capabilities create a dangerous privilege escalation path where a user or prompt intended to generate reports could instead trigger disruptive infrastructure changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bursting addon reconfiguration logic updates live addon and network-related settings, including subnet and VPC-associated parameters, which is unrelated to the declared reporting purpose. Because network reconfiguration can affect scheduling, connectivity, and workload placement, embedding it in a reporting skill creates a high-risk hidden control path for operational disruption.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This code creates CCE LogConfig resources, which actively changes cluster log collection behavior rather than only generating reports. In the stated context of an ops report generator, this is an unnecessary write capability that could be abused to alter observability coverage, redirect logs, or expand collection scope.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This function deletes CCE LogConfig resources, which can stop application log ingestion and directly impair monitoring, auditing, and incident response. That capability is inconsistent with a reporting-only tool and materially increases the blast radius if the skill is misused or prompted unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code provisions temporary Kubernetes client credentials by requesting a cluster certificate and then uses them to access custom objects. For a report-generation skill, this exceeds least privilege and gives the skill a path to authenticated cluster API access that could be repurposed for broader discovery or modification.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements infrastructure-changing operations for Huawei Cloud CCE/CCI, including endpoint creation, addon installation/configuration, and workload deployment, while the skill manifest claims a reporting-only purpose. This mismatch is dangerous because a user invoking a report skill could unknowingly trigger privileged control-plane and Kubernetes changes, violating least surprise and expanding the blast radius of the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal