Alibabacloud Agentbay Aio Skills

Security checks across malware telemetry and agentic risk

Overview

This skill coherently runs user code in an Alibaba AgentBay cloud sandbox, with disclosed credential use and expected chart/output handling.

Install this only if you are comfortable sending the code and data you run to AgentBay and storing an AgentBay API key locally or in an environment variable. Avoid running code that contains secrets or private data, and expect generated charts or images to appear as local files in the current directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and instructs use of shell execution, local file reads/writes, and environment-dependent behavior, but declares no permissions or trust boundaries. That mismatch is dangerous because it can cause the agent to invoke powerful capabilities without explicit user awareness or platform-level gating, especially in a code-execution skill that already handles untrusted input.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The skill says all user code must be run through the sandbox wrapper, but later directs the agent to modify the user payload by prepending package-install commands. That creates an unsafe instruction boundary: the wrapper is no longer just executing supplied code, it is augmenting it with privileged system-changing behavior, increasing the chance of unexpected side effects and making review of executed content harder.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documented use of apt-get introduces OS-level package management into a skill whose stated purpose is code execution, not system administration. Allowing package installation from within executed code materially expands the attack surface, can change the runtime in non-reproducible ways, and may enable additional tooling or persistence inside the sandbox beyond what users expect.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: Although code execution happens in a remote sandbox, the script takes execution-derived image data from sandbox output and writes it directly to the local host filesystem. That breaks the expected isolation boundary and can overwrite or plant files locally, especially if this tool is run in a sensitive working directory or as part of an automated agent workflow.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger text is extremely broad, covering almost any request to run, evaluate, or analyze code. In practice, that can cause over-invocation of a high-risk skill with shell/file capabilities, increasing exposure to unintended execution paths and making it more likely the skill is selected when a safer non-executing response would suffice.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation tells the agent to extract results and write them to local files, but does not clearly surface that this is a local file-write side effect. In a code-execution workflow, silent local writes can overwrite files, create unexpected artifacts, or persist potentially sensitive sandbox output on the host without clear user consent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script automatically sources an API key from environment/config and sends user-supplied code to a third-party remote service without a prominent runtime warning or explicit consent step. In agent contexts, this can cause unintentional disclosure of sensitive code, prompts, or data to an external provider under ambient credentials.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The runner injects code that performs apt-get update/install and modifies caches/files automatically based on detected CJK characters, without user opt-in. Even though this happens in the remote sandbox, it changes the execution environment unexpectedly and normalizes silent dependency installation from generated code paths.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: The script rewrites user code by stripping matplotlib backend/font settings and forcing its own configuration. In a code-execution skill, silently altering user programs undermines user intent and can conceal side effects, making the tool less predictable and harder to safely reason about in automated workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal