ClawHub

Alibabacloud Sas Overview

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a read-only Alibaba Cloud overview helper, but it asks users to run broad cloud CLI setup and credential workflows with under-disclosed global configuration changes.

Review before installing. Use only a least-privilege read-only RAM identity, avoid command-line or environment-variable long-lived secrets, do not run the full verification batch unless you want SAS, WAF, and billing data queried, and inspect or skip the AI-Mode and automatic plugin-install steps unless you understand their effect on your Aliyun CLI configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The guide explicitly promotes full Alibaba Cloud CLI plugin ecosystem coverage even though the skill is scoped to read-only SAS overview queries. This broadens operator expectations and enables workflows far beyond the declared capability boundary, increasing the chance that an agent or user provisions unnecessary tooling and privileges that could later be used for unrelated cloud actions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document instructs users to configure long-lived AccessKey credentials and role-assumption modes, including elevated and cross-account access patterns, despite the skill being a read-only SAS overview query tool. In this context, the mismatch encourages over-privileged authentication setups that materially increase blast radius if the host, agent, logs, or config files are compromised.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The examples and next steps direct users toward unrelated service plugins and general Alibaba Cloud command exploration, which exceeds the skill's stated SAS overview scope. This creates a capability expansion path from a narrow security-read use case into broad cloud control-plane usage, increasing the likelihood of misuse, accidental privilege creep, and unsafe automation assumptions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is described as a SAS overview query tool, but the documented required permissions also request WAF and billing access. That broadens the effective privilege scope beyond the core service boundary and violates least-privilege expectations, creating unnecessary access to unrelated security and financial data if these permissions are granted to the skill identity.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The permissions documentation authorizes cross-service overview access that exceeds the manifest's stated SAS-only overview purpose. This mismatch can mislead operators into granting broader access than expected, enabling collection of WAF telemetry and billing information that falls outside the advertised scope of the skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The verification guide directs use of WAF and billing APIs even though the skill is described as SAS overview-only. This expands the effective permission and data-access scope of the skill, causing unnecessary access to adjacent services and increasing the chance of over-collection, unintended charges, or policy violations during verification.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The WAF verification steps are not well justified by the stated SAS overview purpose, so they introduce cross-service capability without clear necessity. In practice, this can normalize broad cloud-security reconnaissance under a narrower skill label, which is risky in agent environments where users may not expect unrelated API calls.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes generic phrases such as 'security score', 'vulnerability fix', 'baseline risk', and 'handled alerts' that can plausibly appear in ordinary conversation outside the intended Alibaba Cloud SAS context. This can cause unintended activation of the skill and execution of cloud CLI queries against a user's environment when they did not explicitly ask for this specific integration.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill requires enabling AI-Mode and setting a custom user agent before any CLI use, but does not present this as an informed user choice or explain the privacy and behavior implications. Because this changes CLI operating mode globally for the session, it can alter telemetry, plugin behavior, or downstream execution semantics in a way the user did not knowingly consent to.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide shows secrets passed directly on the command line, which can be exposed through shell history, process listings, audit logs, terminal recordings, and agent telemetry. Because these are cloud credentials, exposure can immediately lead to unauthorized API access and broader account compromise depending on attached permissions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document recommends exporting long-lived credentials as environment variables without warning that they may be inherited by child processes, leaked in CI/CD logs, captured in crash reports, or persisted in shell startup files. In an agent or automation setting, environment propagation significantly increases the chance of credential disclosure across tools and subprocesses.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The instruction to run all verification commands together is overly broad and lacks guardrails about when verification should occur, what permissions are needed, and whether the user has authorized account-wide checks. That increases the risk of unnecessary bulk API activity across security and billing services, especially in automated or agent-driven execution contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document contains many live API calls to security and billing services but does not prominently warn that verification will access account data and generate cloud API activity. In an agent setting, missing consent and transparency around such access can lead to privacy, governance, and operational issues even if the calls are nominally read-only.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal