ClawHub

Alibabacloud Waf Security Monitor

Security checks across malware telemetry and agentic risk

Overview

This WAF monitoring skill is mostly read-only and purpose-aligned, but it makes broad local CLI changes and stores sensitive cloud security output in a predictable temporary log without enough containment.

Review before installing. Use a least-privilege RAM user limited to the listed read-only WAF Describe/List permissions, avoid entering access keys in agent-visible commands, and prefer OAuth or short-lived credentials. Run it only in an environment where changing Aliyun CLI plugin settings is acceptable. Treat /tmp/waf_skill_output.log as sensitive, restrict or delete it after use, and do not run this on a shared machine without controlling file permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Although the skill is presented as a read-only monitoring workflow, it instructs the agent to modify local Aliyun CLI state by enabling auto-plugin installation and updating plugins. That creates side effects outside the claimed inspection scope and can change the user's execution environment in ways the user did not explicitly approve.

Scope Creep

Medium
Confidence
91% confidence
Finding
The skill's declared model emphasizes read-only cloud API access, but the workflow also performs CLI configuration changes such as enabling AI mode and setting client behavior. Even if these do not modify WAF resources, they still alter local/global tool state and exceed the operational expectations of a purely read-only inspection skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guide enables automatic plugin installation and update for the entire Aliyun CLI ecosystem, which expands executable functionality beyond a WAF-monitoring skill's stated scope. In an agent context, this increases attack surface and makes it easier for the skill to pull in additional capabilities that were not part of the original review boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document teaches use of multiple high-privilege and cross-account authentication modes such as RamRoleArn and RamRoleArnWithEcs, which exceed the needs of a narrowly scoped WAF inspection skill. In an automated agent setting, this broadens credential authority and could enable access to unrelated cloud resources if the skill or surrounding workflow is misused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples place access key material directly on the command line and explicitly recommend non-interactive/scripted usage, but they do not warn that secrets can leak into shell history, process listings, CI logs, or agent telemetry. This is especially risky for an API-driven or automated skill where commands may be logged or replayed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The environment variable guidance encourages storing long-lived cloud credentials in process environment without warning that these values may be inherited by child processes, exposed in debugging output, or accessible in shared/containerized environments. For an agent skill that may run in automation, this materially increases the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance repeatedly appends raw CLI output to /tmp/waf_skill_output.log, and WAF API responses can contain sensitive operational metadata such as instance identifiers, template IDs, attack statistics, domains, and protection configuration details. Writing this data to a world-accessible or shared temporary location without redaction, retention limits, or permission controls increases the risk of local disclosure and unintended cross-process access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal