ClawHub

Alibabacloud Odps Maxframe Coding

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for MaxFrame/MaxCompute development, but it asks for overly broad agent-routing authority and includes high-impact cloud/data examples without enough safety scoping.

Install only if you need Alibaba Cloud MaxFrame/MaxCompute help and are comfortable reviewing generated code before running it. Treat table write/delete examples, overwrite=True, FullAccess policies, UDF network allowlists, LLM data processing, and .env credential setup as production-sensitive; use test tables, least-privilege roles, approved secret handling, and explicit confirmation before any remote write or cloud permission change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Vague Triggers

High
Confidence
98% confidence
Finding
The instruction to invoke the skill whenever there is even a 1% chance it applies is an aggressive routing rule that overrides normal relevance checks and pressures unnecessary activation. In a prompt-injection context, this increases the chance the skill will be pulled into unrelated tasks, expanding access to its file, env, and network behaviors beyond legitimate need.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description includes many broad trigger phrases across coding, documentation, debugging, tables, runtimes, and GPU setup without strong exclusion boundaries. This can cause over-triggering into adjacent data-processing tasks where the skill is not necessary, increasing the chance of inappropriate tool use or unnecessary access to docs, files, or environment context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example performs a real remote write to an ODPS/DLF table with overwrite=True, which can replace existing data if a user substitutes real table names and runs it as-is. In the context of a data-processing skill, this is more dangerous because the code is positioned as a copy-pastable example for production-like table operations, increasing the chance of accidental destructive modification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes an example that writes to an ODPS table with overwrite=True but does not explicitly warn that this will replace existing table contents. In a data-processing skill, users may copy the snippet directly into production workflows, making accidental destructive data loss a realistic outcome.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The complete pipeline example performs a final write with overwrite=True without any caution about destructive behavior. Because this appears in an end-to-end workflow, users are especially likely to treat it as a production-ready template and unintentionally erase existing data in the destination table.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly tells users to place long-lived MaxCompute access credentials in a project-local `.env` file, but does not warn about accidental source control commits, filesystem exposure, or safer secret-management alternatives. In a developer-facing installation guide, this omission can directly lead to credential leakage and unauthorized access to MaxCompute projects if the file is committed, shared, or left on multi-user systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tutorial includes `o.delete_table('pyodps_ml_100k_lens', if_exists=True)` without an explicit warning that it permanently deletes an ODPS table. In a data-processing skill focused on real table operations, users may copy-paste this into production-like environments and unintentionally destroy data or disrupt workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes an LLM-based text classification API but does not warn that input text, labels, descriptions, and examples may be transmitted to a language model service. In a data-processing skill for MaxCompute/MaxFrame, users may reasonably pass sensitive business data, so the omission can lead to unintended disclosure of proprietary or regulated information to external or managed model backends.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes an LLM-powered extraction API but does not warn that input text may be transmitted to a model service, which can expose sensitive or regulated data if users pass raw documents, logs, or personal information. In this skill context, the risk is heightened because the feature is positioned for data-processing workflows on Alibaba Cloud/MaxCompute, where users may reasonably apply it to production datasets containing confidential business or personal data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to translate series content with a TextGenLLM but does not clearly warn that the input text may be transmitted to an external or managed language model service. In a data-processing context, users may pass sensitive table contents, PII, or proprietary text into this API under the assumption it behaves like a local transformation, creating confidentiality and compliance risks.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The example states that a p-value of about 0.009 means the null hypothesis has a probability of about 99% of being true, which is statistically incorrect. A p-value is not the posterior probability that the null hypothesis is true; presenting it this way can mislead users into making overconfident scientific, business, or operational decisions based on incorrect inference.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document provides concrete examples for enabling `substep.public_network_whitelist` and `substep.internal_network_whitelist` without an explicit warning that these settings expand UDF network reachability and can enable data exfiltration, lateral movement, or access to sensitive internal services if misused. In a developer-facing skill, users may copy these snippets directly into production configurations, so the omission meaningfully lowers the barrier to unsafe network enablement.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide explicitly recommends attaching `AliyunOSSFullAccess` and `AliyunMaxComputeFullAccess` to the MaxCompute role, which violates least-privilege and can give any job using that role far broader access than needed. If the role is misused, compromised, or attached to untrusted workloads, an attacker could read, modify, or delete OSS data and perform excessive actions in MaxCompute across the account scope allowed by those policies.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly documents making outbound HTTP requests from a UDF and only notes the platform permission requirement; it does not warn about data exfiltration, privacy, secrets handling, or the risks of sending row data to external services. In a data-processing skill for MaxCompute/MaxFrame, users are likely to operate on sensitive enterprise datasets, so normalized examples of external requests can lead to unsafe copying of internal data to third parties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation recommends passing secrets via environment variables and shows a concrete `docker run -e ...` example without warning that environment variables can be exposed through shell history, orchestration metadata, debug output, crash reports, or container inspection. In a skill focused on runtime/image setup, users are likely to copy-paste these patterns directly, increasing the chance of credential leakage.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The documentation instructs users to replace apt, conda, and pip package sources with third-party mirrors and uses shell redirection that overwrites existing configuration files. While presented as a performance optimization for China-region users, this changes software trust boundaries and can silently persist altered package sources, increasing supply-chain risk and the chance of unexpected package provenance.

Ssd 1

High
Confidence
99% confidence
Finding
The skill explicitly claims it can override default system behavior and frames itself as mandatory whenever arguably relevant. Attempts to supersede higher-level agent control are a classic prompt-injection pattern because they seek to alter routing and policy decisions made by the host, potentially forcing unsafe or unnecessary execution paths.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal