ClawHub

Alibabacloud Mongodb Instances Manage

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it can make broad, costly, and destructive Alibaba Cloud changes, so it belongs in Review before installation.

Install only if you intend to let an agent administer Alibaba Cloud ApsaraDB for MongoDB. Use a dedicated least-privilege RAM user or role scoped to the needed regions and resources; avoid granting BSS, KMS, resource-group, public-network, billing, or delete permissions unless the specific task requires them. Prefer short-lived credentials, avoid putting real secrets in command arguments or shell profiles, and manually approve any deletion, password reset, public address, billing, renewal, KMS, or purchase operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill includes KMS instance and key creation flows that materially expand its power beyond MongoDB lifecycle management into cryptographic infrastructure provisioning. In an agent setting, this violates scope expectations and can lead to unauthorized creation of billable security resources or encryption assets, especially because users may invoke the skill assuming it only manages MongoDB. The context makes this more dangerous because KMS is a sensitive control-plane service and its inclusion is not obvious from the skill's stated boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The policy documentation requests broad non-MongoDB permissions including KMS key creation, resource-group creation, and especially BSS instance creation, all with Resource '*' scope. Those capabilities exceed routine MongoDB lifecycle management and materially expand what a user may authorize, increasing blast radius and enabling unrelated resource provisioning or billing actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting bss:CreateInstance and related billing/procurement permissions allows the skill operator or an abused workflow to purchase or provision billable services outside MongoDB management. In this context, that is especially dangerous because the skill is presented as infrastructure management, so users may trust and apply the full policy without noticing they are also delegating spend authority.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented KMS permissions include key creation rather than only discovery or use of existing keys. While encryption support can be relevant to database provisioning, creating keys and listing KMS instances is a separate privileged capability that broadens access beyond core MongoDB administration if not strictly required.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
rm:CreateResourceGroup allows creation of organizational cloud resources unrelated to direct MongoDB instance operations. Including it as part of a broadly recommended policy violates least privilege and could be abused to create or reorganize assets outside the declared scope of the skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is declared as MongoDB instance lifecycle management, but the reference material includes standalone VPC creation and management APIs. That scope expansion enables the agent to provision or alter foundational network infrastructure beyond the user's likely intent, increasing blast radius and the chance of privilege misuse or unintended lateral changes.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documentation adds KMS key and KMS instance lifecycle management, which is materially outside MongoDB administration and introduces sensitive cryptographic control-plane actions. A skill that can create, inspect, or especially delete key material can affect confidentiality, availability, and recoverability of protected resources well beyond MongoDB.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Resource group administration is unrelated to routine MongoDB instance management and broadens the skill into organizational resource governance. This can be exploited to reorganize or affect access boundaries for cloud assets outside the database workflow, violating least privilege and user expectations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Scheduling KMS key deletion is a destructive security operation that is not appropriate for a MongoDB management skill. If invoked, it can break encryption-dependent services, cause data inaccessibility, and undermine disaster recovery, with effects extending beyond a single MongoDB instance.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains very generic phrases such as "MongoDB", "list instances", and "reset password", which can match ordinary user requests outside the intended Alibaba Cloud MongoDB administration context. In an agent skill that performs high-impact cloud operations like password resets, public network allocation, scaling, and deletion, overly broad activation increases the chance of accidental invocation and unintended destructive or security-sensitive actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide shows users passing access keys and secrets directly on the command line, which can leak via shell history, process listings, CI logs, or terminal recording. Although the document later mentions not committing credentials and securing the config file, it lacks an immediate warning at the point of use where users are most likely to copy-paste sensitive material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Credential environment variable examples are useful, but without a nearby caution they may be copied into shell profiles, build logs, or shared CI configuration where secrets persist longer than intended. In an automation-oriented skill, this risk is elevated because users may adopt these examples directly in pipelines and agent-driven workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document enumerates highly sensitive actions such as DeleteDBInstance, ResetAccountPassword, AllocatePublicNetworkAddress, ModifySecurityIps, and billing conversion without strong warnings, approval guidance, or safe defaults. In a skill context, this can normalize overbroad grants and cause users to authorize destructive or exposure-increasing capabilities they do not fully understand.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The examples include destructive or state-changing commands such as deleting instances without surrounding warnings, confirmation guidance, or rollback notes. In an agent context, terse operational examples can be copied directly into automated execution paths, increasing the risk of accidental service disruption or irreversible changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation shows a direct `mongosh` connection example using the privileged `root` account and an inline password placeholder, but it does not warn against putting secrets in shell history, logs, or process arguments. In an infrastructure-management skill for production MongoDB instances, this can normalize unsafe credential handling and encourage use of overprivileged accounts for routine verification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal