ClawHub

Alibabacloud Dns Resolve Diagnose

Security checks across malware telemetry and agentic risk

Overview

This DNS troubleshooting skill is not clearly malicious, but it grants broad setup and cloud-access authority with weak scoping and disclosure.

Install only after reviewing the setup commands. Avoid running the curl-to-bash installer blindly, do not let the agent update/install Aliyun plugins automatically, use a least-privilege read-only DNS RAM role, avoid entering secrets on command lines, and do not submit internal or sensitive domains/URLs to boce or public DNS/WHOIS services unless that disclosure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if HAS_CLI:
    try:
        subprocess.run(
            "aliyun configure set --auto-plugin-install true",
            shell=True, capture_output=True, text=True, timeout=5,
        )
Confidence
95% confidence
Finding
subprocess.run( "aliyun configure set --auto-plugin-install true", shell=True, capture_output=True, text=True, timeout=5, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"aliyun configure set --auto-plugin-install true",
            shell=True, capture_output=True, text=True, timeout=5,
        )
        subprocess.run(
            "aliyun plugin install --names aliyun-cli-alidns aliyun-cli-domain aliyun-cli-pvtz 2>/dev/null",
            shell=True, capture_output=True, text=True, timeout=60,
        )
Confidence
97% confidence
Finding
subprocess.run( "aliyun plugin install --names aliyun-cli-alidns aliyun-cli-domain aliyun-cli-pvtz 2>/dev/null", shell=True, capture_output=True, text=True, timeout=60,

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to use shell commands, read local reference files, and inspect environment-backed CLI configuration, yet it declares no explicit permissions boundary. That mismatch increases the chance of overbroad execution and weak review, because a consumer may assume the skill is passive documentation while it actually performs command execution and file access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The reference includes `sts assume-role`, which expands the skill from passive DNS diagnosis into credential acquisition. For a DNS troubleshooting skill, this is broader than necessary and could enable privilege escalation or cross-account access if an agent invokes it with an overly permissive role. The surrounding skill context makes this more dangerous because the capability is presented as a normal troubleshooting step without clear scope limits or authorization constraints.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This reference materially expands the skill from DNS diagnosis into general Alibaba Cloud CLI installation, authentication setup, profile management, and cross-service administration. In an agent skill, this broadens the operational scope and may lead users or agents to provision persistent credentials and invoke unrelated cloud capabilities, increasing the attack surface beyond what is necessary for DNS troubleshooting.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The 'Next Steps' section encourages installation of broad product plugins and exploration of non-DNS services such as ECS and FC, which is not justified by a DNS-diagnosis skill. In an automated or semi-automated agent context, this can normalize capability expansion into unrelated cloud services and increase the chance of over-privileged operation or misuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The shared DNS utility inspects Alibaba Cloud credential presence and configuration state, which goes beyond pure DNS parsing/helpers and touches sensitive local environment metadata. In an agent skill context, this can disclose whether credentials exist, the active region, and related account setup details even when the user only asked for DNS troubleshooting.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file exposes cloud credential/configuration verification behavior through `check-env`, extending the skill from DNS diagnosis into local cloud-environment enumeration. That broader capability increases privacy and security risk because the agent can probe host tooling and cloud access state unrelated to a narrow DNS-resolution request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger set includes broad phrases like "domain unreachable" and "DNS not working," which are common in ordinary troubleshooting conversations. This can cause unintended invocation of a skill that performs package installation, plugin updates, network probing, and cloud API checks, expanding risk beyond what the user explicitly requested.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented response explicitly includes `AccessKeyId`, `AccessKeySecret`, and `SecurityToken` but provides no warning that these are sensitive secrets requiring redaction and careful handling. In an agent setting, this omission can lead to credential leakage into logs, transcripts, tool outputs, or downstream prompts, enabling unauthorized API access for the token lifetime. Because the skill is intended for automated diagnosis, exposing secrets in reference material is especially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to pass access keys and secrets directly on the command line, which can expose credentials through shell history, process listings, terminal logging, and persisted local configuration. Although the document later mentions securing config files, it does not warn at the point of use that these examples may leak sensitive secrets during normal administration workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs users to run privileged cache-flush commands with sudo but does not warn that these commands require elevated privileges or alter local system state. In a diagnostic skill, this is risky because users may copy-paste commands without understanding they are performing administrative actions, increasing the chance of unintended system changes or misuse on production machines.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The HTTP probe function transmits a user-supplied URL or domain to the third-party service boce.aliyun.com for remote testing. That creates a real data-exposure/privacy issue because internal hostnames, sensitive URLs, or customer infrastructure details may be disclosed externally without an explicit warning, confirmation step, or allowlist check. In a diagnostic skill, this behavior is somewhat expected, but it is still dangerous when users may not realize their target is being submitted to an outside provider.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The DNS probe function submits the user-provided domain to boce.aliyun.com via browser automation, which can leak sensitive internal or unpublished domains to a third party. Although external DNS probing is core to the skill's purpose, the lack of explicit consent, warning, or scope restrictions makes this a genuine security and privacy concern, especially in enterprise environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The credential environment check returns `role_arn`, region, and a derived credential-status signal without any warning, redaction, or consent mechanism. Those details can help an attacker profile the cloud environment and identify privileged identities or deployment patterns if the output is surfaced to logs, users, or remote systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically performs external DNS and WHOIS lookups against a user-supplied domain without any explicit notice, consent prompt, or data-handling warning. In a diagnostic skill this can disclose queried domains, operator IP address, and troubleshooting targets to third-party resolvers/WHOIS services, which is a meaningful privacy and operational-security risk, especially for internal, pre-release, or sensitive domains.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
> [MUST] run `aliyun configure set --auto-plugin-install true` to enable automatic plugin installation.
> [MUST] run `aliyun plugin update` to ensure that any existing plugins are always up-to-date.

**Additional tools:**

| Tool | Purpose | Installation |
|------|---------|-------------|
Confidence
94% confidence
Finding
tools:*

External Script Fetching

High
Category
Supply Chain
Content
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed or version too low,
> run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to install/update,
> or see `references/cli-installation-guide.md` for installation instructions.

**Pre-check: Aliyun CLI plugin update required**
Confidence
99% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal