Alibabacloud Tech Solution Animation Creation Auto Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a real Alibaba Cloud deployment skill, but it can make broad persistent account changes and exposes a newly created API key in output.

Install only if you intend to let an agent modify an Alibaba Cloud account. Use a disposable or tightly scoped RAM user, review the scripts before running, avoid production credentials, do not allow the generated API key to be printed into chat or logs, and remove created resources, API keys, RAM roles, custom domains, and attached full-access policies after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill invokes extensive shell commands and scripts but does not declare permissions or clearly constrain what the shell capability may do. This creates a gap between the agent's apparent authority and its actual ability to modify cloud resources, making review, policy enforcement, and user consent weaker.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The description says the skill deploys an app, but the workflow also attaches powerful RAM policies, creates API keys/workspaces, modifies roles and trust policies, and provisions a custom domain. Hidden privilege escalation and identity changes are especially risky because users may approve a deployment task without realizing it alters IAM and creates long-lived credentials.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The document first forbids printing credential values, then states the API key creation script prints the full Bailian API key. Exposing a live API key in terminal output, logs, chat transcripts, or agent telemetry can lead to credential theft and unauthorized API usage.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script performs additional privileged actions beyond straightforward application deployment by enumerating workspaces, creating a Model Studio workspace if absent, and then provisioning an API key. In the context of an auto-deploy skill, silently expanding scope into identity/credential provisioning increases blast radius and can surprise users or operators who expected only infrastructure deployment.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script creates a new API credential and exports it into the shell environment even though the stated purpose is deployment automation; that introduces a reusable secret that may persist beyond the deployment session. Because the key appears to be long-lived and not tightly scoped or ephemeral, compromise of terminal history, logs, subprocess environments, or CI output could allow unauthorized access to the associated Model Studio resources.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide tells users to pass access key secrets directly on the command line and via exported environment variables, but does not warn that these values may be exposed through shell history, CI logs, process listings, or inherited environments. In an automation/deployment skill, this is especially risky because users may copy-paste commands into shared shells or pipelines, leading to credential disclosure and subsequent cloud account compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Recommending debug logging for authenticated API calls without warning about sensitive output can expose request metadata, token context, signed requests, or other credential-adjacent information in terminal scrollback, support bundles, or CI logs. Because this skill is used for deployment automation, debug output is more likely to be captured and retained in shared systems.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically grants broad system-managed permissions (AliyunOSSFullAccess and AliyunFCFullAccess) to the detected RAM user without any interactive confirmation, approval gate, or scope minimization. In an auto-deploy skill, this is dangerous because simply running the skill can silently escalate privileges on a cloud account, enabling storage and function-service actions beyond what is necessary for a narrowly scoped deployment.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script prints the newly created API key value directly to stdout, which can expose the credential to terminal scrollback, shell logs, orchestration logs, CI/CD systems, or calling agents. In an automated skill context this is especially dangerous because stdout is commonly captured, forwarded, or persisted outside the user's immediate control.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script automatically retrieves the caller's Alibaba Cloud account ID and sends it to an external service at domain.devsapp.net without any in-file notice, confirmation, or minimization. Even if required for the workflow, this is a real privacy and trust-boundary issue because it discloses account-identifying metadata to a third party as part of an automated deployment step.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script creates a helper service, function, trigger, DNS registration, and custom domain, then deletes some helper resources, all without any user confirmation or dry-run mode. In an agent skill context, undisclosed resource mutation is risky because it can incur costs, alter attack surface, and make incident review harder, especially since cleanup errors are suppressed with '|| true'.

Unrestricted Tool Access

Medium

Category: Excessive Agency
Content: **Required system policies:** `AliyunFCFullAccess`, `AliyunOSSFullAccess` **Additional permissions:** Devs-related permissions (`devs:CreateProject`, `devs:RenderServicesByTemplate`, `devs:UpdateEnvironment`, `devs:DeployEnvironment`, `devs:ListEnvironments`, `devs:GetEnvironment`) **Before the Core Workflow, automatically check and attach required policies:**
Confidence: 92% confidence
Finding: permissions:*

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: RAM_USER=$(echo "$IDENTITY" | python3 -c "import sys,json; print(json.load(sys.stdin)['Arn'].split('/')[-1])") echo "RAM user: $RAM_USER, auto-attaching required policies..." for POLICY in $POLICIES; do aliyun ram attach-policy-to-user --policy-type System --policy-name "$POLICY" --user-name "$RAM_USER" --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy 2>&1 | grep -v '"RequestId"' || true done echo "Policies attached." else
Confidence: 90% confidence
Finding: auto-deploy

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: echo "No Bailian workspace found, creating one..." CREATE_WS_RESULT=$(aliyun modelstudio create-workspace \ --workspace-name "default" \ --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy 2>&1) WORKSPACE_ID=$(echo "$CREATE_WS_RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin)['workspace']['workspaceId'])") echo "Workspace created: $WORKSPACE_ID" else
Confidence: 76% confidence
Finding: auto-deploy

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: CREATE_RESULT=$(aliyun modelstudio create-api-key \ --workspace-id "$WORKSPACE_ID" \ --description "$DESCRIPTION" \ --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy 2>&1) # Extract API Key value and ID API_KEY=$(echo "$CREATE_RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin)['apiKey']['apiKeyValue'])")
Confidence: 88% confidence
Finding: auto-deploy

Excessive Permissions

Low

Category: Privilege Escalation
Content: **Required system policies:** `AliyunFCFullAccess`, `AliyunOSSFullAccess` **Additional permissions:** Devs-related permissions (`devs:CreateProject`, `devs:RenderServicesByTemplate`, `devs:UpdateEnvironment`, `devs:DeployEnvironment`, `devs:ListEnvironments`, `devs:GetEnvironment`) **Before the Core Workflow, automatically check and attach required policies:**
Confidence: 90% confidence
Finding: permissions:*

Tool Parameter Abuse

High

Category: Tool Misuse
Content: aliyun devs delete-project --name "$PROJECT_NAME" --force true --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy # 3. Delete OSS Bucket (recursively delete all objects first, then delete the Bucket) aliyun oss rm "oss://$BUCKET_NAME" -r -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy aliyun oss rm "oss://$BUCKET_NAME" -b -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy # 4. Delete Bailian API Key (API_KEY_ID is output during create-api-key.sh execution)
Confidence: 95% confidence
Finding: rm "oss://$BUCKET_NAME" -r -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: # 3. Delete OSS Bucket (recursively delete all objects first, then delete the Bucket) aliyun oss rm "oss://$BUCKET_NAME" -r -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy aliyun oss rm "oss://$BUCKET_NAME" -b -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy # 4. Delete Bailian API Key (API_KEY_ID is output during create-api-key.sh execution) aliyun modelstudio delete-api-key --api-key-id "$API_KEY_ID" --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy
Confidence: 94% confidence
Finding: rm "oss://$BUCKET_NAME" -b -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal