ClawHub

Alibabacloud Sas Malware Detection

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a cloud malware scanner, but it asks for broad Alibaba Cloud setup and can upload user files to Alibaba Cloud with some under-scoped consent and routing behavior.

Install only if you are comfortable sending selected files, hashes, sizes, paths, and related metadata to Alibaba Cloud for scanning and if you have a narrowly scoped RAM user for SAS only. Confirm the region explicitly before any scan, avoid scanning secrets or regulated data, and do not follow the broad Aliyun CLI examples for unrelated services or credential handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This file substantially exceeds the scope of a malware-detection skill by teaching full Aliyun CLI installation, authentication, profile management, and general service usage. In the context of an agent skill intended only to scan files for malware, this broadens operator and agent capability unnecessarily and increases the risk of unintended cloud access, credential handling, and misuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The plugin installation and command exploration section enables expansion into arbitrary Alibaba Cloud services beyond malware detection. For a narrowly scoped security scanning skill, encouraging general plugin installation meaningfully enlarges the accessible attack surface and creates opportunities for privilege abuse or accidental operations outside the intended function.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to silently choose a RegionId and not confirm or display it to the user, even though the same document says all user-customizable parameters must be confirmed. Silent parameter selection can route uploads and malware samples to an unexpected jurisdiction or service endpoint, undermining user consent, auditability, and compliance expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The acceptance criteria explicitly instruct uploading a local file to a remote OSS endpoint as part of malware scanning, but they do not require any user warning, consent, or data-handling disclosure before transmission. In a security-scanning skill, this is materially risky because users may provide sensitive binaries, documents, or proprietary files and the skill normalizes exfiltrating them to a third-party cloud service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These examples place access key ID and secret directly on the command line, which can leak through shell history, process listings, terminal logging, CI logs, and copied documentation. In an agent-oriented skill, this is more dangerous because users may paste real secrets into automation contexts where retention and exposure are harder to control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The environment variable examples encourage exporting cloud credentials without warning that such secrets may be inherited by child processes, captured in debug output, exposed in CI environments, or read by other users in shared execution contexts. Because this skill may be used in automation, the omission increases the chance of credential sprawl and accidental disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The verification instructions tell users to scan a file with an external malware detection service but do not disclose that file contents, hashes, or related metadata may be transmitted off-host. This can cause unintended exposure of sensitive files because users are encouraged to run the command directly on arbitrary local paths without any privacy or data-handling warning.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to enumerate and scan an entire directory but provides no warning that filenames, sizes, paths, and possibly file contents from multiple files may be exposed to an external service. Directory-wide operations materially increase risk because they can bulk-disclose sensitive filesystem structure and data beyond what the user intended to share.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits the scanned file to a remote Alibaba Cloud OSS endpoint as part of the malware detection workflow, but it provides no explicit warning, confirmation, or privacy notice before upload. This is dangerous because users may unknowingly send sensitive or regulated files off-host, creating confidentiality, compliance, and data-handling risks even if the upload is functionally intended.

External Transmission

Medium
Category
Data Exfiltration
Content
aliyun sas create-file-detect-upload-url --type 0 --hash-key-list "$md5"
```

## 5. OSS Form Upload via curl

#### CORRECT
```bash
Confidence
93% confidence
Finding
curl #### CORRECT ```bash curl -s -o /dev/null -w "%{http_code}" \ -X POST "$public_url" \ -F "key=$oss_key" \ -F "policy=$policy" \ -F "OSSAccessKeyId=$access_id" \ -F "Signature

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal