ClawHub

Alibabacloud Tair Devtoolset

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud Tair admin skill, but it needs review because it can create billable resources, expose database endpoints, change access rules, restore data, and includes unsafe security examples.

Install only if you intend to let the agent operate Alibaba Cloud Tair resources. Use a least-privilege RAM role scoped to the specific account, region, and instances; avoid Resource "*" where possible. Do not run the bundled create-and-connect script unless you explicitly accept paid resource creation and public endpoint exposure, and prefer private/VPC connectivity for production. Treat restore and SHUTDOWN NOSAVE as last-resort operations after backups and written confirmation. Replace the TLS and credential examples with secure patterns before using them in real applications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a general Tair development toolkit, but it includes workflows that automatically modify security IP whitelists and allocate public endpoints, which materially change network exposure. Even though these actions are mentioned later in the content, they are high-impact operational changes that can broaden attack surface and should be disclosed more explicitly and gated with stronger consent at the top-level interface.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The Go cluster example sets InsecureSkipVerify=true and explicitly omits DNSName verification, so hostname verification is in fact disabled. The inline comment claiming this is 'not actually skipping' is misleading and may cause users to copy a weaker TLS posture without understanding that man-in-the-middle resistance is reduced to CA-chain validation only.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list contains broad terms such as "redis" and "backup," which can cause the skill to activate in contexts where the user did not intend real Alibaba Cloud operations. Because this skill can perform destructive or security-sensitive actions like restore, whitelist changes, and public endpoint allocation, accidental activation raises the chance of unintended cloud changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide includes commands that place long-lived AccessKey credentials directly on the command line and documents that they are stored in ~/.aliyun/config.json. In the context of an agent skill that performs real cloud operations, this increases the chance of credential exposure via shell history, process arguments, screenshots, copied transcripts, or insecure local file permissions, enabling unauthorized access to Alibaba Cloud resources.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Recommending non-interactive secret-bearing flags for CI/CD and agent-driven automation without warning about trace leakage is dangerous because automation systems often record command invocations in logs, job metadata, telemetry, and debugging output. Given this skill can drive real cloud changes, leaked keys could let an attacker create, modify, restore, or delete cloud resources well beyond the intended workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document includes realistic plaintext credentials and an AUTH command pattern directly in example code, which can normalize insecure secret handling and lead users to copy credentials into source files, shells, logs, or screenshots. In a cloud operations skill for Tair/Redis, this is more dangerous because the examples are intended for real infrastructure connections, so exposed or reused credentials could grant direct access to live data stores.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document includes example code that hardcodes Redis/Tair credentials directly in source snippets without any warning to use environment variables or a secret manager instead. Even if presented as placeholders, this normalizes insecure credential handling and can lead users to commit real passwords into source control, logs, or build artifacts, especially in a skill that supports real cloud operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Go example for proxy/direct TLS uses InsecureSkipVerify=true, which disables standard hostname verification while presenting the code as a normal TLS connection example. Users may assume they are getting full TLS authentication when they are not, enabling interception or redirection attacks if a trusted but wrong certificate can be presented.

Missing User Warnings

High
Confidence
98% confidence
Finding
The PHP cluster example disables both verify_peer and verify_peer_name, which turns off meaningful server certificate validation. This permits active man-in-the-middle attacks and makes the TLS example unsafe by default, especially because it is presented as a ready-to-use connection recipe.

Missing User Warnings

High
Confidence
96% confidence
Finding
The C# cluster example explicitly returns true for RemoteCertificateChainErrors and RemoteCertificateNameMismatch, thereby accepting invalid chains or hostname mismatches. This undermines TLS server authentication and can allow attackers with network position to impersonate the Redis/Tair endpoint.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Spring Lettuce cluster example calls disablePeerVerification(), which disables TLS peer validation in a production-style configuration sample. Because this is infrastructure connection guidance for a cloud data service, readers are likely to deploy it directly, exposing credentials and traffic to interception by an active attacker.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting text recommends `SHUTDOWN NOSAVE` as a recovery action for busy or unkillable Lua scripts, but the guidance does not clearly and explicitly warn that this command immediately stops Redis without persisting in-memory data, which can cause data loss. In a skill that supports real cloud/database operations, operators may treat this as a normal remediation step and execute it during an incident, amplifying outage and data-loss risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions explicitly allocate a public endpoint and add the caller's public IP to the whitelist, which increases the attack surface of a newly created database instance. In a cloud operations skill, enabling Internet exposure without a prominent warning, safer private-network alternative, or least-exposure guidance can lead users to deploy reachable data services with weak or mismanaged access controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented create command includes `--auto-pay true` and a paid charge type without a clear warning that running it will provision billable cloud resources. In an agent skill that can drive real cloud operations, this can cause unintended financial impact if a user follows or automates the command without understanding the billing consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script creates a paid Tair instance with --auto-pay true and proceeds immediately, but does not require explicit user acknowledgment of cost or present a dry-run/confirmation gate before execution. In an agent skill context that can trigger real cloud operations, this increases the chance of unintended resource creation and unexpected billing from a simple invocation or misconfigured environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script allocates a public endpoint for the database instance automatically and does so without a prominent warning or separate approval for exposing the service to the Internet. Even though it also adds a whitelist entry, enabling public connectivity materially expands attack surface and can create accidental exposure if the IP is wrong, changes, or whitelist settings are later broadened.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal