ClawHub

Alibabacloud Agentloop Contextstore

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Alibaba Cloud ContextStore helper, but its bundled setup guide expands into broad Alibaba Cloud CLI/plugin use and risky credential examples, so it needs review before installation.

Install only if you intend to let an agent operate Alibaba Cloud CMS ContextStore resources. Use a least-privilege RAM identity, avoid root or broad account credentials, do not paste access keys into chat or command history, pin/review CLI plugins where possible, and require explicit confirmation for any write, API key, bulk delete, or store deletion operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This guide materially expands the skill from CMS ContextStore operations into broad Aliyun CLI administration, including unrelated services, endpoints, plugins, and general cloud account configuration. In an agent skill, that scope creep increases the chance the agent will assist with unintended actions against arbitrary Alibaba Cloud resources, violating least-privilege expectations for a service-specific skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to install and explore arbitrary Alibaba Cloud product plugins, which grants an agent operator a pathway to extend capability well beyond ContextStore. In the context of an agent skill, this is dangerous because it normalizes unrestricted expansion of command surface and can enable unintended or unauthorized cloud operations.

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
Claiming this is a complete Aliyun CLI guide for all published plugins conflicts with the stated purpose of a narrow CMS ContextStore skill. While not directly exploitable on its own, this framing encourages overbroad use and weakens safety boundaries by implying the skill should support the full Alibaba Cloud CLI ecosystem.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples promote use of long-lived access keys and environment-variable-based secret injection without an immediate warning about shell history, process inspection, CI log leakage, or persistence in agent environments. In an automation-focused skill, this is particularly risky because agents and pipelines frequently echo commands, retain environment state, or write diagnostic output that can expose credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Recommending non-interactive credential configuration for scripts, CI/CD, and agent-driven automation without adjacent guidance on secret masking and log hygiene can cause operators to embed sensitive credentials directly into commands. In the context of an agent skill, this increases exposure because automated systems routinely persist command invocations, transcripts, and debug output.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document includes single-command and bulk delete examples for context records without clearly warning that these operations are destructive and may permanently remove user memory/experience data. In an agent skill context, users or downstream agents may copy these commands directly, increasing the chance of accidental mass deletion, especially with filter-based deletes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes a store deletion command without explicit warning, confirmation guidance, or safe-verification steps. In an agent skill context, users or downstream agents may execute documented commands directly, increasing the chance of accidental deletion of ContextStore data and associated system-managed datasets.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal