ClawHub

Alibabacloud Cfw Acl Diagnosis

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate read-only Alibaba Cloud firewall diagnostic skill, but it asks the agent to make persistent local CLI/plugin changes despite presenting itself as read-only.

Install only if you are comfortable with an agent using your default Alibaba Cloud CLI credentials to query firewall rules and logs. Before use, remove or manually control the setup steps that enable/disable aliyun AI mode, set global user-agent state, update plugins, or install plugins automatically; use a read-only RAM user for the cloud account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is labeled read-only, but it instructs the agent to run global CLI configuration commands such as enabling AI mode, changing user-agent settings, and disabling AI mode later. These are state-changing operations on the local environment and can alter behavior for other sessions, users, or tasks, violating the principle of least surprise and the skill's own safety contract.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A diagnostic assistant should not autonomously update plugins or install missing components, because those actions modify the host environment and expand the skill's operational footprint beyond read-only inspection. Plugin installation/update also introduces supply-chain and change-management risk, especially when performed automatically during routine diagnosis.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill contains contradictory instructions: it claims write/configuration commands are strictly prohibited, yet later mandates configuration-changing commands. This inconsistency is dangerous because agents may follow the later imperative steps, leading to unauthorized local state changes while operators believe the workflow is read-only.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file mandates live CLI execution for every diagnostic step, which directly conflicts with the skill's declared text-only, guidance-only scope. This creates an unsafe capability expansion: a user invoking a read-only advisory skill could cause the agent to perform real environment-dependent operations, potentially accessing cloud resources and sensitive runtime context.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation instructs the agent to use operational tooling and consider credential-related checks, which is unjustified for a text-only diagnostic assistant. Even though it advises against printing secrets, it still normalizes real credential-dependent execution and increases the likelihood that the agent will interact with authenticated cloud tooling in the host environment.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal