ClawHub

Alibabacloud Ecs Code Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for Alibaba Cloud ECS deployment, but it asks for high-impact cloud authority and contains unsafe or conflicting handling around API keys, remote log access, and automatic changes.

Review this carefully before installing. Use a least-privilege Alibaba Cloud RAM role, avoid pasting API keys into chat or command lines, confirm every paid or destructive action yourself, and be aware that verification may run a remote command on ECS and print logs, public IPs, or SSH-style access details into the session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to derive and present public service URLs, public IP addresses, and SSH access guidance based on deployment output. Exposing connectivity details by default can leak sensitive infrastructure access information into chat transcripts or logs and may encourage unsafe remote access patterns beyond the minimum necessary deployment result.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly forbids handling secrets in chat, commands, or persisted files, but later provides examples that place an API key directly on the command line and inside inline JSON. Command-line arguments and shell history are commonly exposed to process listings, logs, CI transcripts, and copy-paste reuse, so these examples directly undermine the earlier safety policy and are likely to cause credential leakage.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The verify workflow goes beyond deployment orchestration and performs remote instance inspection, log retrieval, and HTTP probing against the deployed host. This expands the skill's operational scope and trust boundary, increasing the chance of unintended access to sensitive runtime data or behavior not disclosed in the skill description.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The deploy path automatically rewrites .appmanager/config.yaml to change groupName when a conflict is detected. Silent mutation of deployment configuration can alter future deploy behavior, surprise operators, and create persistence of unintended settings beyond the immediate command run.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The tool uses Alibaba Cloud ECS RunCommand to execute a shell command on the target instance for log collection. Remote command execution is materially broader than deployment itself and, if misused or extended, can access arbitrary files or run arbitrary commands on production infrastructure.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough to match generic deployment or setup requests, which may cause the skill to trigger outside the user's intended Alibaba ECS workflow. In that case it could start cloning repos, checking credentials, or preparing cloud deployment actions with insufficient contextual confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs cloning a user-supplied git URL into the current working directory, which can modify the local workspace, overwrite assumptions about directory contents, and introduce untrusted code into the environment. Because the repo is user-controlled, this also increases the chance of later agent actions operating on adversarial project files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes destructive delete commands and explicitly notes that confirmation is skipped automatically in JSON mode. In an agent context, this increases the chance of accidental or unauthorized deletion of deployed applications or groups, especially if the model follows examples without obtaining fresh user approval.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples show `--api-key sk-xxxxxxxx` and JSON with `"apiKey": "sk-xxx"` directly in invocation syntax, without a warning that real secrets must never be supplied inline. Even as documentation, this encourages unsafe operator behavior and can result in secrets being recorded in terminal history, telemetry, CI logs, or shared runbooks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script rewrites .appmanager/config.yaml during deployment without just-in-time confirmation. Because this changes local project state and influences future deployments, it can cause confusing or unsafe follow-on actions that the user did not intend.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal