Alibabacloud Flink Knowledge

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate Alibaba Cloud Flink assistant, but it asks agents to update local aliyun CLI plugins while also claiming no persistent system changes.

Review before installing. Use a least-privilege Alibaba Cloud RAM account, avoid giving production-wide or billing access unless needed, and do not allow `aliyun plugin update` unless you intentionally want the local CLI plugin environment changed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill's declared purpose is a Flink knowledge assistant, but its behavior includes local validation and file-reading logic outside that scope. Description-behavior mismatch weakens user consent and security review because operators may approve a seemingly informational skill that also performs undeclared local inspection tasks.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is framed as a knowledge and SQL-generation assistant, but it instructs the agent to execute Alibaba Cloud CLI commands and query live runtime state. This expands the skill from passive advisory behavior into active environment interaction, which can expose credentials, cloud metadata, or operational state if triggered inappropriately.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The documented `aliyun plugin update` command performs a system-level change that is not necessary for answering most knowledge queries. Allowing a knowledge assistant to update plugins can persistently modify the execution environment, introduce supply-chain risk, and violate least-privilege expectations.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill claims that operations are automatically reverted and make no persistent system modifications, yet it later instructs a plugin update that can change the environment durably. This is dangerous because it creates false trust signals for reviewers and users, masking real modification capability behind misleading safety assurances.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal