ClawHub

Alibabacloud Lindorm Agent Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate Alibaba Cloud Lindorm assistant, but it gives agents unsafe access-handling guidance that could expose database root passwords and cloud credentials in chat or logs.

Install only if you are comfortable with a Lindorm-focused assistant using Aliyun CLI and cloud database context. Before use, make sure the agent never prints or asks for real passwords, AK/SK values, STS tokens, x-ld-sk headers, root credentials, full connection endpoints, or whitelist contents unless you have explicitly approved that disclosure. Treat any account, permission, whitelist, storage, release, or upgrade steps as human-admin runbooks, not actions the agent should run automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The guide explicitly instructs the agent to retrieve `InitialRootPassword` and provide password details in the connection workflow. This causes direct disclosure of highly sensitive authentication material to the chat surface, logs, and potentially unauthorized users, which can enable immediate database compromise if the requester is not properly verified.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The recommendation to run `curl ifconfig.me` sends a network request to a third-party external service to discover the user's public IP. While lower severity than credential exposure, it introduces unnecessary data disclosure and dependence on an external endpoint outside the documented Lindorm workflow.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This guide is framed as a storage analysis and monitoring reference, but it also instructs the agent to recommend and walk through operational changes such as enabling cold storage and configuring hot/cold tiering policies. In an agent context, scope drift from read-only diagnostics into change guidance increases the risk of the agent steering users toward disruptive actions, including rolling restarts and schema/storage policy changes, without explicit confirmation, authorization, or change-management safeguards.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly states the agent must not directly create users or change permissions, yet the embedded example responses instruct the agent to say it will create accounts and provide concrete CREATE USER / GRANT / REVOKE / DROP USER sequences. In practice, operators often treat agent examples as approved runbooks, so this contradiction can normalize unsafe privileged actions and lead to unauthorized account creation, excessive privilege grants, or destructive revocations.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document claims secrets must never be read, echoed, or printed, yet later includes a sample `~/.aliyun/config.json` containing `access_key_secret` and other credential material. Even if illustrative, this normalizes secret disclosure and can cause an agent or user to reveal stored credentials during troubleshooting or demonstrations.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document claims secrets must never be read, echoed, or printed, yet later includes a sample `~/.aliyun/config.json` containing `access_key_secret` and other credential material. Even if illustrative, this normalizes secret disclosure and can cause an agent or user to reveal stored credentials during troubleshooting or demonstrations.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes broad generic terms such as "embedding" and "rerank" that are common across many AI and search contexts, not just Lindorm. This can cause the skill to activate for unrelated requests and then steer the agent into Lindorm-specific guidance or CLI workflows, increasing the chance of inappropriate tool use, user confusion, or cross-domain prompt capture.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill hard-codes Beijing/CST interpretation for local timestamps and discourages UTC use for user-intended local times without requiring explicit user confirmation of timezone. In an operations skill that drives monitoring, troubleshooting, backup, and migration decisions, this can lead to querying the wrong incident window or acting on incorrect temporal assumptions, which materially affects reliability and incident response.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger examples include very generic everyday error-reporting phrases such as “这个错误是什么意思?” and broad statements like “报错了”, which can cause the skill to activate outside true Lindorm-specific contexts. In an agent setting, over-broad triggering can route unrelated user conversations into this skill, producing irrelevant operational advice or prompting unnecessary diagnostic actions against cloud resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start section gives a copy-pastable credential-setting command without a strong warning that command-line arguments may be captured by shell history, process listings, logs, and agent transcripts. In this skill's context, where users may ask an agent to help run commands, that materially increases the risk of credential exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Multiple authentication mode examples show literal access key, secret, and token arguments, which encourages insecure operational patterns across AK, STS, and role-assumption flows. Because this is a cloud administration skill, users are especially likely to reuse these patterns in production or automation, leading to credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The environment-variable examples present exporting credentials as straightforward shell commands but omit warnings that environment variables can leak to child processes, crash dumps, CI logs, debug output, and sometimes shell history. This is risky in automated or agent-assisted sessions where execution context and logging are often opaque to the user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to write the root username and password directly into conf/hbase-site.xml, which can expose credentials through shell history, local files, backups, source control mistakes, or overly broad filesystem permissions. In a cloud database context, disclosure of the initial root password could enable unauthorized access to Lindorm data and administration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document enumerates high-risk administrative commands such as instance creation, upgrade, release, and IP whitelist updates without any cautionary framing, confirmation guidance, or least-privilege advice. In an agent skill context, this can normalize destructive operations and increase the chance that an automated assistant suggests or executes irreversible infrastructure changes without adequate user validation.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documentation includes commands and example outputs for retrieving connection endpoints and IP whitelist contents, which are sensitive infrastructure details useful for reconnaissance. While normal for operator documentation, presenting these details without handling guidance can cause an agent to overexpose internal hostnames, ports, and access-control data in responses or logs.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directs the agent to fetch and present the instance's initial root password and to include SQL credentials in the final answer. In a cloud database context, exposing root credentials is especially dangerous because it grants privileged access to data and administrative operations; the skill context makes this more dangerous, not less, because users are specifically asking how to connect to live production-like instances.

External Transmission

Medium
Category
Data Exfiltration
Content
IVFBQ chunk 索引示例:

```bash
curl --connect-timeout 10 -m 60 \
  -u <username>:<password> \
  -H 'Content-Type: application/json' \
  -XPUT "http://<search_endpoint>:30070/<dataset_name>_chunking?pretty" \
Confidence
92% confidence
Finding
curl --connect-timeout 10 -m 60 \ -u <username>:<password> \ -H 'Content-Type: application/json' \ -XPUT "http://<search_endpoint>:30070/<dataset_name>_chunking?pretty" \ -d '{ "settings":

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal