ClawHub

Alibabacloud Milvus Manage

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Milvus management skill, but it can make real cloud, network, credential, and access-control changes with safety guidance that is too thin in several places.

Install only if you intend to let the agent help manage real Alibaba Cloud Milvus resources. Use a tightly scoped RAM account, review every command before execution, require explicit approval for create, scale, public network, ACL, service-role, and resource-group changes, and do not paste real passwords or private media into the documented examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documented `CreateDefaultRole` operation can create a service role that grants Milvus access to other Alibaba Cloud products such as OSS, expanding the skill's effective privilege scope beyond direct Milvus instance management. In an agent setting, exposing this action without strong justification or guardrails increases the risk of unintended IAM changes and privilege expansion that could be abused or triggered by prompt injection or operator error.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `CreateInstance` examples include a plaintext `dbAdminPassword` directly in CLI body examples, normalizing insecure secret handling and encouraging credentials to be placed in shell history, logs, transcripts, and agent traces. In an agent-operated skill, this is especially risky because secrets may be echoed, stored, or reused across tools without the user realizing the exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation shows how to enable public network access to the Milvus proxy with only a mild recommendation for CIDR restriction and no prominent warning about exposing a database endpoint to the internet. In this skill's context, that omission is dangerous because agents or users may follow the example mechanically, creating externally reachable vector database services that increase attack surface, unauthorized access risk, and data exposure potential.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example command embeds a plaintext admin password and uses --force to create a real cloud resource without any safety warning about cost, secret handling, or replacing placeholders. In a cloud-management skill, users may copy-paste examples directly, which can lead to credential exposure in shell history/logs and unintended billable instance creation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide includes a reusable plaintext admin password example and later reuses the same secret in connection instructions. In practice, users often copy examples verbatim, which can lead to weak/default credential reuse, secret exposure in shell history or docs, and easier compromise of a newly created Milvus instance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The creation examples embed `dbAdminPassword` directly in CLI request bodies using a realistic-looking placeholder, but the document provides no explicit warning that this value is highly sensitive and must not be hardcoded, logged, or copied into shell history. In this skill context, operators are likely to paste and adapt commands verbatim, which can lead to credential exposure through terminal history, process inspection, shared scripts, or screenshots.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documented resource group transfer command performs an administrative change that can affect access control, billing visibility, automation targeting, and organizational governance, but it is presented without any warning, prerequisite checks, or confirmation guidance. In an agent skill context, this omission is more dangerous because users may execute the command directly from the playbook, causing unintended operational changes to production resources.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The RAM policy document grants write-capable permissions such as CreateInstance, UpdateInstance, ModifyInstanceConfig, UpdatePublicNetworkStatus, UpdateAccessControlList, and ChangeResourceGroup, but it does not warn users that these actions can create billable resources, alter exposure, or weaken network controls. In a security-sensitive infrastructure skill, omission of such warnings increases the likelihood of unintended public exposure or disruptive configuration changes by operators who may assume the permissions are routine and low-risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly recommends uploading large multimedia content to OSS with public-read access and then passing the public URL into Milvus workflows. That guidance can expose sensitive images, audio, or video to anyone with the link or to internet-wide discovery, and the skill does not warn users about privacy, retention, access control, or safer alternatives such as signed URLs or private buckets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal