ClawHub

Alibabacloud Pai Eas Service Diagnose

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud EAS troubleshooting skill, but it needs review because it can autonomously use cloud credentials to read service data and handle service tokens with incomplete safety guidance.

Install only if you are comfortable letting the agent use an existing Alibaba Cloud profile to read PAI-EAS service inventory, logs, events, endpoints, and diagnostic data. Use a least-privilege read-only RAM role, avoid root or long-lived access keys, review broad CLI/plugin setup before running it, and redact service tokens, AK/SK values, endpoints, and sensitive logs from any shared output. Treat the health-check disabling guidance as non-production-only unless an operator explicitly approves and tracks rollback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs use of `aliyun ram list-policies-for-user` or equivalent IAM verification, which expands activity beyond the declared EAS diagnostic scope into account/identity enumeration. In an autonomous skill, this can cause unnecessary privilege probing and access to unrelated security metadata, increasing blast radius and violating least-privilege expectations.

Scope Creep

Medium
Confidence
87% confidence
Finding
The skill documents `DescribeServiceEndpoints` as an available command without declaring the corresponding permission in `required_permissions`. This mismatch can lead to undeclared capability requests or runtime authorization failures, and in some agent frameworks it undermines permission review by hiding actual access needs.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file is substantially out of scope for an EAS diagnosis-only skill: it teaches generic Aliyun CLI installation, authentication, plugin installation, and account configuration. In a troubleshooting skill, including broad cloud administration guidance increases the chance the agent will request or use credentials and perform unrelated actions, expanding attack surface and privilege exposure beyond diagnosis.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide instructs users on broad credential provisioning, profile management, and general cloud CLI usage that are not justified for EAS diagnosis alone. This can normalize collection and storage of powerful credentials, enabling misuse by an agent or user path that should have remained read-only and narrowly scoped.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several trigger phrases are broad enough to match generic troubleshooting requests, which can invoke this autonomous skill in situations where the user did not intend cloud diagnostic actions. Because the skill is designed to execute commands directly and gather service information on its own, accidental activation materially increases the chance of unintended data access and side effects like plugin installation or broad service enumeration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference explicitly documents a `.Token` field as an access token but provides no warning that this value is sensitive, should be redacted from outputs, and must not be echoed back to users or logs. In a diagnostic skill, operators commonly copy command output verbatim, so documenting credential-bearing fields without handling guidance increases the chance of accidental credential disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation demonstrates configuring long-lived Access Keys directly on the command line, which risks exposure via shell history, process listings, terminal logging, screenshots, and copied transcripts. Although environment variables are discussed later, this section lacks an immediate warning that these examples can persist sensitive secrets or leak them to other local users and automation systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to retrieve a service Token and immediately pass it in an Authorization header during a connectivity test, but it provides no warning that the token is a credential that should be handled carefully. In troubleshooting contexts, users often copy commands into shared terminals, chat logs, tickets, shell history, or CI output, which can expose the token and enable unauthorized access to the service endpoint.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation shows how to retrieve a service token and use it directly in an Authorization header, but it does not include any warning about treating the token as a secret, avoiding logging/screen capture, or redacting it from shared outputs. In a troubleshooting skill, users are likely to copy-paste commands and then paste results back into chats or tickets, which increases the chance of credential leakage and unauthorized service access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly recommends temporarily disabling liveness and readiness checks for debugging, but it does not warn that doing so can mask unhealthy instances, allow broken services to remain in rotation, and reduce automated recovery protections. In the context of an operational troubleshooting skill, users may copy this guidance directly into production-like environments, increasing the chance of service integrity and availability issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal