ClawHub

Alibabacloud Analyticdb Postgresql Ai Coaching Best Practice

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud setup guide, but it gives an agent broad live-cloud authority and includes unsafe password-handling guidance that users should review carefully.

Install only if you intend to let an agent help provision Alibaba Cloud ADBPG/Supabase resources. Use a dedicated least-privilege RAM identity, confirm every billable or network/security-changing command, do not paste existing production passwords or long-lived access keys into chat, and upload only approved non-sensitive knowledge-base documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document explicitly includes retrieval of Supabase project API keys even though the stated purpose is infrastructure setup and AI coaching workflows, not secret extraction or downstream key handling. Exposing or normalizing API-key retrieval in a general best-practice skill increases the chance that agents will fetch sensitive credentials unnecessarily and then mishandle, log, or reveal them.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The account-management section and examples normalize creation of database accounts where the note says the account type defaults to Super, which materially exceeds least-privilege requirements for a coaching knowledge-base workflow. If followed by an agent or user, this can create overprivileged credentials that enable broad database compromise, destructive changes, and access beyond the intended RAG application scope.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad terms like "Supabase", "RAG", "knowledge base", and "vector database", which are common across many unrelated tasks. This can cause unintended activation of a skill that provisions cloud infrastructure and handles credentials, increasing the chance of unsafe or irrelevant execution in the wrong context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation condition uses a loose example, "Help me set up an AI coaching system," without clear boundaries on platform, scope, or required user intent. In context, this skill performs high-impact actions such as creating billable cloud resources and modifying network configuration, so ambiguous invocation materially raises the risk of unintended execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to ask the user for an existing database account password, but does not provide a secure handling pattern beyond using it later in commands. Requesting existing credentials in-chat is dangerous because secrets may be exposed to logs, transcripts, model context, or downstream tooling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide shows commands that take access keys and secrets directly on the command line without explicitly warning that shell history, process listings, terminal recordings, and checked-in scripts can expose those credentials. In a skill intended for agent-driven infrastructure setup, users may copy these examples verbatim with real secrets, increasing the likelihood of credential leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document recommends non-interactive authentication for scripts, CI/CD, and agent automation, but does not warn that flags and persisted config files may leak secrets into job logs, audit trails, process metadata, or runner disks. Because this skill targets automation-heavy workflows, the omission is more dangerous than in a purely manual tutorial.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly includes the permission `gpdb:GetSupabaseProjectApiKeys`, which enables retrieval of Supabase API keys, but it does not warn that this action exposes sensitive credentials that could enable unauthorized access to project resources and downstream data. In a skill intended to guide deployment and operations, normalizing credential-retrieval permissions without handling guidance increases the chance that users overgrant access or expose secrets in logs, tooling, or shared operator contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The custom policy example bundles credential-access (`gpdb:GetSupabaseProjectApiKeys`) with broad resource-creation and network-modification permissions, all on `Resource: "*"`, without clearly calling out the sensitivity and operational impact of those actions. In practice this can encourage users to deploy an overprivileged policy that allows secret retrieval, infrastructure creation, EIP/NAT changes, and whitelist modification beyond what is necessary for a specific scenario.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples place passwords directly on the command line, which commonly exposes secrets through shell history, process listings, terminal logging, CI logs, and session transcripts. In an agent-skill context this is more dangerous because automation systems often capture and persist full command invocations, making credential leakage likely.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The upload example pulls a document from an external URL into the knowledge base without warning about confidentiality, provenance, or third-party data exposure. This can lead users or agents to ingest sensitive internal content via public URLs or to fetch untrusted content, creating data-leakage, compliance, and poisoning risks in the RAG system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The verification guide includes commands that place sensitive credentials directly on the command line, including manager account passwords, namespace passwords, and a database connection string with inline credentials. Secrets passed this way are commonly exposed via shell history, process listings, logs, terminal recordings, and shared documentation, which can lead to credential disclosure and compromise of the Supabase or ADBPG environment. In this skill context, the risk is elevated because the document is explicitly a reusable operational runbook, making copy-paste leakage likely.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow explicitly tells the agent to obtain an existing database account password and keep using it for subsequent steps. This is a classic secret-handling flaw: the agent becomes a collector and temporary custodian of privileged credentials, creating unnecessary exposure and increasing the blast radius if conversation history, telemetry, or memory is accessed.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction to "Record" manager account credentials for later operations explicitly normalizes credential retention within the session. Retaining privileged database credentials, even temporarily, significantly increases the chance of accidental disclosure through logs, tool traces, prompt injection side effects, or later model responses.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal