Security audit

aleph-cloud-self-deployment

Security checks across malware telemetry and agentic risk

Overview

This skill is openly about self-deploying cloud agents, but it gives spawned remote agents powerful keys that can create paid VMs recursively.

Install only if you intentionally want an agent to provision paid cloud infrastructure and operate remotely. Use a dedicated low-balance Aleph account, per-instance or delegated keys, manual approval before each new VM, budget alerts, and a documented shutdown process. Do not copy production private keys or API keys to child VMs unless you are prepared to rotate them afterward.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The post-creation setup script defines ANTHROPIC_KEY as a positional argument but never writes auth-profiles.json, despite earlier instructions stating that auth-profiles.json is the required secure location and wrong handling silently fails. This creates both a security weakness and a likely misconfiguration path where operators fall back to unsafe secret handling to make the system work.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documented child activation command injects the Aleph private key into a shell command argument via $(cat ...), which can expose the key in process arguments, shell tracing, audit logs, or remote command history. Because this key enables instance creation and account actions, disclosure would let an attacker consume credits and replicate control across recursively deployed agents.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The post-creation setup script defines ANTHROPIC_KEY as a positional argument but never writes auth-profiles.json, despite earlier instructions stating that auth-profiles.json is the required secure location and wrong handling silently fails. This creates both a security weakness and a likely misconfiguration path where operators fall back to unsafe secret handling to make the system work.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly instructs operators to transfer an Aleph private key to the child VM so it can recursively self-deploy. In this context, propagating a long-lived account key to additional hosts materially expands the compromise blast radius: any child VM compromise yields cloud account control, budget abuse, and further replication.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal