ClawHub

Alibabacloud Smartag Pilot

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for read-only Alibaba Cloud SAG inspection, but it should be reviewed because it can change local CLI setup, use cloud credentials, and run generated scripts.

Install only if you intend to let an agent inspect Alibaba Cloud SAG resources with read-only credentials. Use a least-privilege RAM policy or short-lived STS credentials, avoid entering real access keys in commands or chat, verify the Aliyun CLI installer yourself, and review any generated script and report path before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as an OpenAPI-based SAG inspection tool, but it also installs/updates CLI components and changes global CLI AI-mode configuration. That expands the trust boundary from read-only cloud inspection into persistent local environment modification, which can affect unrelated future sessions and tools.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Installing or updating software and plugins is not necessary for answering many SAG inspection requests and materially increases risk. It can introduce supply-chain exposure, change the host state, and execute vendor-controlled code on the user's machine under the guise of a read-only inspection skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document claims the skill is read-only and performs no resource modification, but later instructs writing and executing a generated script in the workspace. This contradiction can mislead users and reviewers about the real behavior and reduce scrutiny of code-execution and file-system side effects.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
A 'read-only inspection' claim is undermined by instructions to modify files and execute code, which are local system modifications even if cloud APIs remain read-only. This mismatch increases the chance that dangerous actions are performed without informed consent or appropriate sandboxing.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guide extends beyond SAG inspection into general Alibaba Cloud CLI plugin discovery and installation for unrelated services such as ECS, VPC, RDS, and FC. In an agent skill scoped to SAG inspection, this broadens operator capability and increases the chance of unnecessary access, misuse, or accidental execution outside the intended least-privilege boundary.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The document includes cross-account and elevated-authentication patterns such as RamRoleArn and RamRoleArnWithEcs, which exceed a SAG status inspection use case. In practice, this can normalize overprivileged configurations and enable broader cloud access than the skill needs, increasing blast radius if credentials are misused or the agent is pointed at the wrong account or role.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow tells the agent to write and execute an adapted script in the user's workspace without an explicit warning about code execution and filesystem changes. Executing generated code is a high-risk pattern because customization inputs can be wrong or adversarial, and the effects extend beyond passive inspection.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill deterministically overwrites a markdown report file in the workspace on same-day reruns without an explicit overwrite warning. While lower severity than code execution, this can still destroy user data or replace analyst artifacts unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to pass access keys directly on the command line, which can expose secrets through shell history, terminal recording, process listings, audit trails, or CI logs. Because this skill is meant for agent-driven automation, the risk is higher: agents and pipelines commonly log commands verbatim, turning credential setup into a likely secret disclosure path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The environment variable examples place sensitive credentials into process environments without warning about leakage via CI job output, crash dumps, inherited subprocesses, debugging tools, or accidental echoing. While environment variables are common, omitting handling guidance in automation-oriented documentation materially increases the chance of unsafe secret exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template explicitly instructs an agent to modify the script, write it into the workspace, and execute it. In an agentic environment, this creates an unsafe code-generation-and-execution path without explicit user confirmation, increasing the risk of unintended command execution, misuse of configured cloud credentials, and unsafe filesystem writes.

VirusTotal

41/41 vendors flagged this skill as clean.

View on VirusTotal