Alibabacloud Aes Sysom Os Diagnosis

Security checks across malware telemetry and agentic risk

Overview

This skill is for Alibaba Cloud SysOM diagnosis, but it can also make lasting cloud and instance changes such as installing agents and configuring DingTalk alerts.

Install only if you intend to let the skill use an Alibaba Cloud profile for ECS SysOM diagnosis and possible ongoing monitoring setup. Use a least-privilege RAM role, avoid granting update/delete alert permissions unless needed, verify every instance or cluster before enrollment, treat DingTalk webhook URLs as secrets, and plan cleanup for agents, alert destinations, alert strategies, and local CLI/SDK changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill requires access to credentials and local reference files but does not declare corresponding permissions. This weakens the trust boundary for the agent runtime because operators cannot accurately assess what the skill can access before execution, and hidden capability use is especially sensitive in a security-oriented workflow that touches cloud credentials and SDK scripts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The advertised purpose emphasizes diagnosis, but the workflow also performs persistent and state-changing actions: agent enrollment, SDK environment setup, alert-destination creation, and alert-strategy creation. This mismatch can mislead users and reviewers into approving a skill for read-only troubleshooting when it can also modify cloud monitoring configuration and install software, increasing the chance of over-privileged use or unintended changes.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The cleanup section states the diagnosis operations are read-only and imply no cleanup is needed, but the documented workflow installs agents, changes CLI configuration, enables AI-mode, creates alert destinations, and creates alert strategies. Mislabeling state-changing actions as read-only can cause users to authorize the skill under false assumptions and leave persistent changes behind without rollback guidance.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill description frames the capability as OS-level diagnosis, but the workflow expands into ongoing management tasks such as persistent enrollment and DingTalk alerting setup. This creates a scope gap that can undermine informed consent and lead to granting broader permissions or allowing infrastructure modifications that the user did not expect from a diagnostic skill.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill’s stated purpose is OS diagnosis, but this workflow expands into persistent agent enrollment and alerting administration. That broadens the operational scope from troubleshooting into infrastructure management, increasing the chance that users are steered into long-lived changes they did not explicitly request and violating least-privilege/task-boundary expectations.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Including deletion and broader alert-destination management introduces administrative capabilities unrelated to core diagnosis. If invoked improperly, this could disable notifications or alter monitoring integrations, undermining operational visibility and creating unnecessary destructive power within a diagnostic skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide shows non-interactive CLI examples that place long-lived access key secrets directly on the command line without warning that shells may record them in history and that other local users or monitoring tools may capture process arguments. In the context of an agent/automation skill for cloud diagnosis, this is more dangerous because users are explicitly encouraged to use these patterns in scripts and CI/CD, increasing the chance of credential leakage and reuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow collects a DingTalk webhook and immediately configures it without a user-facing warning that alerts and potentially sensitive operational details will be sent to a third-party endpoint. This creates a data-sharing risk because users may not understand the trust boundary change or the sensitivity of future diagnostic notifications.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document grants and normalizes permissions for agent installation, cluster enrollment, and alert-destination management, but does not warn that these actions can modify running systems, deploy software, or change outbound notification behavior. In a skill intended for troubleshooting production ECS instances, omission of user-impact warnings increases the risk that operators authorize broad actions without understanding operational, security, or change-management consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation includes destructive operations such as deleting and uninstalling alert destinations and agents, but provides no warning, confirmation guidance, or guardrails about operational impact. In an agent skill context, this increases the chance that an automated workflow or operator will execute irreversible or service-affecting actions without understanding the consequences.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The verification instructions explicitly tell users to run credential-inspection commands and later configure a DingTalk webhook URL containing an access token, but they provide no warning about handling sensitive output or secrets safely. In a diagnostic skill that may be run in shared terminals, CI logs, chat transcripts, or support sessions, this can lead to accidental disclosure of cloud credentials or webhook tokens that enable unauthorized alert manipulation or account access.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The mandated flow asks for a user-supplied webhook and immediately uses it, with no minimization, review step, or confirmation before committing the destination. That is dangerous because a mistyped or maliciously supplied webhook could silently route future alerts to an unintended recipient, causing ongoing data leakage and hard-to-detect misconfiguration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal