ClawHub

Alibabacloud Analyticdb Postgresql Knowledgebase Ops

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its Alibaba Cloud knowledge-base purpose, but it needs review because it asks an agent to collect and remember database passwords and may trigger paid cloud instance creation.

Install only after confirming you are comfortable with an agent operating against Alibaba Cloud database resources. Use least-privilege RAM credentials, avoid pasting long-lived passwords into chat or command lines, prefer temporary credentials or a secure secret path, and require explicit approval before any new ADBPG instance is created, including region, size, cost, and cleanup plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This file provides broad Aliyun CLI installation, authentication, ECS querying, and plugin-management guidance that materially exceeds the skill's stated scope of ADBPG knowledge-base operations. In an agent skill context, bundling general cloud administration instructions increases the chance the agent is granted or encouraged to use overly broad credentials and unrelated product capabilities, expanding the attack surface beyond the intended database knowledge-base workflow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guidance instructs the agent to collect highly sensitive credentials, including manager and namespace passwords, as part of normal workflow. Even if operationally useful, broad credential collection exceeds data minimization principles and increases the chance of credential exposure through chat logs, prompt leakage, or downstream tool misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The session-memory guidance explicitly tells the agent to remember parameters such as NamespacePassword for reuse, which creates persistent exposure of secrets during the session. Retaining credentials in conversational memory increases the blast radius if the agent is later induced to reveal memory contents or uses them in unintended actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The instructions authorize the agent to invoke a separate skill to create database instances, expanding capability beyond the declared knowledge-base management scope. This broadens the agent's authority surface and can lead to unintended provisioning, increased cost, or privilege abuse if triggered by ambiguous or manipulated user input.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show non-interactive command lines containing access-key material, which can be captured in shell history, process listings, CI logs, or agent telemetry. In an automated skill environment, this is especially risky because agents often echo commands, retain execution traces, or surface debug output to users and logs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Recommending `aliyun configure get` and debug logging for troubleshooting without warning about redaction can expose configured credential material or other sensitive authentication details. In agent-assisted troubleshooting, such output may be copied into chats, stored in logs, or transmitted to external systems, turning a support step into a secret disclosure path.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guidelines direct users to provide manager and namespace passwords through plain text conversation, without mandating a secure input channel or strong warning before collection. Secrets entered into chat may be logged, retained, surfaced to other components, or exposed in support/debug workflows, making credential compromise more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to run `aliyun configure list`, which can expose credential configuration details in terminal output, screenshots, logs, or shared troubleshooting transcripts. While this is framed as verification guidance rather than overtly malicious behavior, it lacks any warning to avoid revealing account identifiers or secret-bearing configuration, creating unnecessary credential exposure risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The examples pass passwords directly on the command line via flags such as `--manager-account-password` and `--namespace-password`. Command-line secrets are commonly exposed through shell history, process listings, audit logs, CI logs, and terminal recordings, so documenting this pattern without warning or safer alternatives materially increases the chance of credential compromise.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document instructs users to upload a document from a remote URL, which can cause potentially sensitive document contents to be fetched, transmitted, and ingested without any privacy, provenance, or trust warning. In a knowledge-base/RAG skill this behavior is functionally expected, but the absence of guidance about using trusted sources and avoiding confidential documents makes accidental data disclosure more likely.

Ssd 3

High
Confidence
99% confidence
Finding
Collecting manager and namespace passwords via plain text and designing the workflow around their reuse creates a direct secret-handling weakness. In a skill that performs administrative and data operations, leaked credentials could enable unauthorized access, data exfiltration, modification, or service disruption.

Ssd 3

High
Confidence
99% confidence
Finding
Explicitly remembering NamespacePassword for later reuse means the agent is instructed to retain a live secret in session state. This makes prompt injection, accidental disclosure, logging, or memory inspection materially more dangerous because the credential remains available after the original task completes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal