ClawHub

Alibabacloud Tablestore Ops

Security checks across malware telemetry and agentic risk

Overview

This is mostly a read-only Alibaba Tablestore helper, but its supporting docs include copyable commands that can grant broader cloud permissions than the skill says it needs.

Review commands before use. Use a dedicated RAM user or role with AliyunOTSReadOnlyAccess only, avoid the FullAccess and CreateInstance examples, do not share raw Aliyun config output, and install the Aliyun CLI only from a source you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a true issue: the file is for a read-only Tablestore skill, but the examples show attaching `AliyunOTSFullAccess` and creating a custom policy that includes `ots:CreateInstance`. In an operational runbook or agent skill, users often copy-paste examples directly, so these commands can cause privilege expansion well beyond the documented scope and enable unintended resource creation or broader compromise if the credentials are misused.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The verification guidance for a supposedly read-only skill includes `aliyun otsutil config`, which changes local CLI state by writing instance and endpoint configuration. While this does not directly modify cloud resources, it expands the skill beyond read-only data access and can redirect subsequent commands to a different instance or account context. In a security-sensitive agent setting, undocumented state-changing setup steps increase the risk of unintended actions and mis-scoped access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The troubleshooting section instructs users to run `aliyun configure`, which rewrites local credential configuration and exceeds the declared read-only querying purpose of the skill. In an agent-driven workflow, this can alter the authenticated identity used by later commands, potentially causing access to the wrong environment or encouraging unsafe credential handling. The issue is contextual: it is more dangerous because the skill is explicitly framed as read-only, so operators may not expect credential-changing behavior.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The end-to-end workflow includes verifying or relying on configured Aliyun CLI credentials, introducing credential-management and authentication-context dependencies not narrowly justified by the skill's stated read-only Tablestore query purpose. Even if operationally common, embedding this into the skill increases the chance an agent will prompt for, inspect, or depend on account credentials in ways that broaden the attack surface. In security review terms, this is a scope-expansion issue rather than direct exploitation code, but it remains risky in automated environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to enter AccessKey ID and AccessKey Secret interactively but does not warn that these are sensitive long-lived credentials, may be stored by the CLI, and should be handled with least privilege. In a documentation context this is a real security weakness because readers may use highly privileged keys or store them on shared systems without understanding the risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation recommends an attach-policy command using `AliyunOTSFullAccess` inside a read-only skill, without an immediate, prominent warning on the command itself that it exceeds the intended scope. Because the skill context is explicitly read-only, this mismatch makes the example more dangerous: it normalizes over-privileged access and increases the chance operators grant unnecessary permissions to automation or human users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sample output explicitly includes credential-related fields such as `AccessKeyId` and `AccessKeySecret`, which normalizes handling and displaying secret material in documentation. In an agent skill context, this is more dangerous because tools or downstream agents may echo command output into logs, chats, or artifacts, causing accidental credential exposure even if the sample values are masked.

Ssd 3

Medium
Confidence
96% confidence
Finding
The example response for `aliyun otsutil config` includes credential-related fields such as `AccessKeyId` and `AccessKeySecret`, even though masked. Showing those fields in guidance normalizes secret exposure and may lead users to paste or log real command output containing sensitive values into chats, tickets, or shared terminals. In a credential-handling skill, this context makes the issue more dangerous because users are already being guided through authentication steps.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal