ClawHub

Alibabacloud Pai Eas Service Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with deploying Alibaba Cloud PAI-EAS services, but it asks for high-impact cloud changes and exposes live service tokens in normal output.

Review before installing. Use a least-privilege RAM user, avoid root or broad account credentials, run it only in an isolated environment if possible, and do not let it print or store real service tokens in chat logs. Confirm any service creation, plugin installation, CLI config change, or delete/recreate action yourself before execution, and prefer HTTPS/private endpoints with token redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs the agent to install and update Aliyun CLI plugins on the host, which modifies the local execution environment beyond the narrow act of deploying a service. This broadens the blast radius to host integrity and supply-chain risk, especially because plugin installation pulls executable code and may affect later commands or other tasks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill changes global Aliyun CLI configuration such as AI mode, auto-plugin-install, user agent, and region, which persists outside the immediate deployment action. Persistent global config changes can alter behavior of unrelated workflows, enable unintended plugin installs, and create hard-to-audit side effects on the host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to retrieve and disclose the service AccessToken in the final response. Exposing a live bearer token to the user-facing channel creates immediate credential leakage risk, enabling unauthorized invocation of the deployed service by anyone with access to the transcript or logs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The workflow explicitly instructs the agent to delete an existing service with the same name before redeployment, which adds destructive behavior to a deployment skill. In an automated or mistaken invocation, this can cause service interruption, loss of availability, and accidental replacement of a production endpoint without an explicit confirmation gate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs autonomous creation of cloud services without asking for user confirmation before executing deployment commands. Because service creation can incur cost, consume quotas, and expose network endpoints, removing the confirmation gate increases the risk of unintended or unauthorized changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The required final output exposes an AccessToken without any warning or protection, making sensitive credential disclosure part of the normal success path. In skill context this is more dangerous because deployment transcripts are often retained in chat history, logs, or monitoring systems, turning a transient token into a broadly exposed secret.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide provides multiple non-interactive examples that persist long-lived Access Key credentials via `aliyun configure set` and even shows the resulting `~/.aliyun/config.json` structure, but it does not place an immediate warning next to those commands that secrets will be written to disk. In an agent/automation skill, this increases the chance that users or automated systems will store highly privileged cloud credentials on shared hosts, ephemeral runners, or developer machines without understanding the persistence and exposure risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The debugging section recommends `--log-level=debug` without warning that debug output can include request metadata, endpoint details, profile selection, and potentially sensitive authentication context depending on CLI behavior and surrounding environment. In troubleshooting scenarios, users commonly paste logs into tickets or chat, so missing this warning can lead to inadvertent credential or environment disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples repeatedly instruct users to launch vLLM with `--trust-remote-code`, which allows model repositories to execute custom Python code during loading. In a deployment skill focused on serving models, this is especially dangerous because users may copy these templates directly into production and load third-party OSS-hosted models, turning documentation into a path for remote code execution on the inference host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These instructions perform impactful actions including writing deployment config files, creating services, and potentially deleting existing services, but they do not require a clear user-facing warning or explicit confirmation for the destructive parts. This increases the chance of unintended infrastructure changes, unexpected charges, or service downtime caused by automation acting with insufficient user awareness.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The document explicitly instructs the agent to call external Alibaba Cloud CLI/API commands after user selection, but it does not tell the user that this will perform live network access against their cloud account context and may disclose account-scoped metadata such as available images, regions, labels, or other environment-derived results. In an agent setting, this can lead to silent external actions and unintended information exposure, even though the commands shown are read-only and narrowly scoped.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly states that services on the shared gateway are publicly accessible by default and does not pair that guidance with warnings about exposure, unauthorized access, or sending sensitive prompts/data over an open endpoint. In this skill context, which helps users deploy inference services, that omission can realistically lead to internet-exposed model endpoints and privacy/security misconfigurations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to retrieve a live service token and use it in requests, but it provides no warning about treating the token as a secret, avoiding shell history/log exposure, or preventing accidental publication in examples and screenshots. In an agent skill context, this omission is risky because users may paste real tokens into terminals, notebooks, tickets, or shared docs, leading to unauthorized inference access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The verification examples use plain HTTP endpoints without warning that requests may traverse networks unencrypted. If authentication tokens or model inputs are sent over HTTP, an attacker on the network path could intercept or tamper with traffic, exposing credentials and potentially sensitive prompts or outputs.

Ssd 3

High
Confidence
99% confidence
Finding
Including sensitive access tokens verbatim in a user-facing response is a direct secret-disclosure flaw. Any party with access to the conversation, debug traces, analytics logs, or screenshots could reuse the token to invoke the service until it is rotated or expires.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal