Alibabacloud Aes Ack Pod Performance Profiling

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Alibaba Cloud pod diagnosis workflow, but it automatically makes cloud networking and local CLI changes that are not consistently disclosed or gated by user approval.

Review before installing. Use only with a least-privilege Alibaba Cloud identity on a non-sensitive or approved ACK cluster, and require explicit approval before any write operation. Be aware that it can change local Aliyun CLI configuration and create cloud networking/service-role state that may need manual cleanup. VirusTotal and static scan were clean; the concern is the skill's own documented behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The cleanup section claims the workflow is read-only, but earlier steps clearly enable AI mode, change CLI configuration, initialize SysOM roles, and create a Cluster VPC Endpoint Connection. Misrepresenting write operations as read-only is dangerous because it can cause users and automated systems to authorize execution under false assumptions about state impact and rollback needs.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill states that all user-customizable parameters must be confirmed, yet later authorizes an automatic network-modifying operation without user confirmation. This inconsistency weakens human-in-the-loop safeguards and can normalize unapproved write actions against user infrastructure.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill persists local CLI changes such as enabling AI mode, setting a user-agent value, updating plugins, and enabling auto plugin installation, none of which are strictly justified as pod profiling actions. Persistent workstation reconfiguration increases the blast radius beyond the immediate diagnostic task and may affect future commands, plugin behavior, or audit expectations.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The stated purpose is pod performance profiling, but the documented workflow also provisions networking prerequisites and initializes account-level services. In this context, the mismatch is especially risky because a diagnostic skill is expected to be low-risk and observational, making hidden provisioning steps more likely to be approved without proper scrutiny.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The guide instructs users to acquire and configure long-lived AccessKey credentials and includes concrete examples of storing them via CLI configuration. In an agent skill context, encouraging persistent high-value credentials broadens the blast radius: compromised hosts, logs, shell history, or mis-scoped automation could expose credentials unrelated to the profiling task.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The workflow requires an automatic write operation that creates a cluster VPC endpoint connection, which changes network configuration despite the skill being presented as a diagnostic/profiling capability. This creates a scope mismatch: a user invoking a read-oriented diagnosis skill may unknowingly authorize infrastructure changes with security and connectivity consequences.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document states that cluster network configuration will be modified automatically and without confirmation as a mandatory precondition for diagnosis. Unprompted creation of connectivity resources expands attack surface and violates least surprise, especially in production clusters where network-path changes may have policy, cost, or exposure implications.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly authorizes automatic execution of a network-modifying step without user confirmation. Unattended creation of a VPC endpoint connection can alter cluster connectivity and security posture, and the risk is amplified because the operation is framed as mandatory rather than requiring informed approval.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill documents an automatic network-configuration change with no confirmation safeguard, even though it is a write action affecting cluster infrastructure. This is dangerous because users may believe they are requesting diagnosis only, while the skill silently performs state-changing operations that could alter trust boundaries or violate change-control requirements.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal