ClawHub

Alibabacloud Cms Dataset

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Alibaba Cloud CMS dataset management, but it needs Review because it can create workspaces and mutate or delete real cloud resources with under-scoped confirmation around some actions.

Install only if you are comfortable letting an agent operate Alibaba Cloud CMS resources. Use a least-privilege RAM profile scoped to the intended workspace, avoid inline long-lived access keys, prefer verified CLI installation methods, and manually confirm any workspace creation, sls-project value, dataset creation, update, or deletion before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is scoped as dataset lifecycle/query management, but it also expands into provisioning CMS workspaces. That broadens the operational blast radius from managing a dataset to creating new infrastructure containers, which can cause unintended resource creation, billing, governance bypass, or execution in the wrong environment when a user expected a read/query-focused workflow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically creating a workspace when `get-workspace` fails is not justified by a dataset-focused skill and converts a validation step into a write action. An attacker or mistaken user input could trigger creation of unintended workspaces and linked resources, especially because a missing workspace may reflect typo, region mismatch, or permission issues rather than genuine intent to create one.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill states that all user-customizable parameters must be confirmed and defaults must not be assumed, but later instructs using the workspace name as the `--sls-project` when the user does not provide one. This contradiction can lead to silent resource binding to an unintended SLS project, creating configuration drift or exposing logs/data to the wrong backend project.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide recommends a curl-pipe-bash quick setup that executes remote code directly in the user's shell without inspection, checksum verification, or provenance validation. In an installation guide for a cloud CLI, this is especially risky because users may run it with elevated privileges or on machines containing cloud credentials, turning a compromised distribution endpoint or MITM into immediate code execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The configuration section normalizes use of long-lived access keys in command lines and environment variables without warning about shell history, process listing, terminal logging, or inherited environment exposure. Because this skill is for Alibaba Cloud dataset lifecycle operations, exposed credentials could enable unauthorized API access, dataset modification, deletion, or broader account compromise depending on permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The verification guide includes create, update, and delete commands that change remote CMS datasets, but it does not require an explicit user confirmation or warn that these actions will modify or remove real cloud resources. In an agent skill context, that omission is risky because a user asking to 'verify' behavior could unintentionally trigger state-changing operations against production workspaces.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal