Alibabacloud Yunxiao Flow Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill mainly supports pipeline troubleshooting, but it also includes under-disclosed live terminal access to build machines, which users should review before installing.

Install only if you are comfortable giving the agent Yunxiao pipeline read access and, when debug mode is enabled, potential live terminal access to build environments. Prefer using the log/API tools first; do not provide a terminalUrl unless you explicitly want live inspection, and review every proposed terminal command and output because it may reveal secrets, source code, or environment variables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (37)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Including a debug-terminal capability in a skill whose purpose is analysis and recommendations introduces an unnecessary interactive access path. Even if intended for debugging, such a terminal can be abused to inspect sensitive runtime state, browse files, or pivot beyond the minimum data needed for troubleshooting.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation explicitly claims that the skill performs only read operations, yet the listed terminal tool implies broader interactive access that may permit more than passive inspection. This inconsistency can cause operators to underestimate risk and approve the skill for environments where interactive remote access would not be acceptable.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to obtain a time-limited terminal URL and execute shell commands on the user's build machine for troubleshooting. That materially expands the capability from log-based diagnosis to interactive host access, creating a path for unintended system modification, secret exposure, or execution of unsafe commands if the agent misinterprets the situation or is prompt-injected through logs or user input.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill expands a log-analysis/troubleshooting workflow into interactive remote shell access on build machines, which materially increases capability from passive diagnosis to active system manipulation. Even with a note banning uploads, arbitrary shell access can alter files, inspect secrets, disrupt builds, or change host state, making this dangerous if followed by an agent automatically.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Remote terminal login and shell execution are not justified by the stated purpose of diagnosing pipeline failures and recommending causes. This creates an unnecessary privilege boundary crossing: an analysis skill should not instruct an agent to log into ephemeral or production-adjacent build machines and execute commands, because that can expose secrets and modify infrastructure beyond the user's immediate intent.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The file states that troubleshooting should only output the cause, but later instructs terminal-based troubleshooting and solution verification. This contradiction can mislead orchestration systems or reviewers about the skill's true capabilities, increasing the risk that an agent performs active operations where only analytical behavior was expected.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to obtain a terminal URL and execute shell commands on a live build machine, which materially expands scope from passive log analysis to active system interaction. Even with a prohibition on upload commands, this enables arbitrary command execution, access to sensitive files, environment variables, source code, credentials, and potential modification of the build environment, creating substantial risk if the agent is over-permissioned or the terminal session targets production-adjacent infrastructure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The guidance explicitly expands the agent’s role from passive log analysis into active remote shell access on the build machine via terminalUrl and webTerminal.py. Even though it prohibits upload commands and asks to display commands/results, it still authorizes command execution in a live build environment, which can expose secrets, alter state, and create operational impact well beyond troubleshooting.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill expands from passive troubleshooting into interactive access to a live build machine via terminalUrl and webTerminal.py. That materially increases capability from analysis to remote system interaction, creating risk of unauthorized command execution, exposure of secrets in the build environment, and modification of CI infrastructure or artifacts.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Remote command execution is not justified by a skill whose stated purpose is log analysis and root-cause identification. Providing instructions to connect to the build machine and execute shell commands enables the agent to move from advisory behavior to active control over a sensitive environment, which can be abused to inspect, alter, or disrupt pipelines and access credentials or source code.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill expands from passive log analysis into interactive shell access on the build machine, allowing execution of arbitrary troubleshooting commands. Even though uploads are prohibited, terminal access can still expose secrets, modify the environment, inspect source code, or perform unintended actions on CI infrastructure, which is materially broader than the skill's stated purpose.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs obtaining a terminal URL and executing shell commands on a live build machine, which expands the capability from log-based diagnosis into active remote system interaction. Even with a prohibition on upload commands, this creates a path for arbitrary command execution, exposure of secrets in the build environment, and unintended modification of CI/CD hosts or artifacts.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Interactive remote shell access is not necessary for the stated purpose of troubleshooting pipeline failures and providing recommendations, so granting or encouraging it violates least privilege. In CI/CD environments, shell access can expose credentials, source code, deployment targets, and network reachability far beyond what is needed for diagnosis.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The document says troubleshooting only needs to output the cause, but later instructs terminal-based troubleshooting and solution verification. This contradiction weakens operator expectations and can cause an agent to exceed its declared scope, making risky actions seem implicitly authorized.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill’s stated purpose is log-based pipeline troubleshooting, but this section expands it into obtaining a live terminal URL and executing shell commands on the build machine. That materially increases capability from analysis to interactive system access, which can expose secrets, alter build state, and create opportunities for misuse far beyond diagnosing logs.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Interactive remote shell access is not necessary for the documented use case of pipeline failure analysis and therefore represents unjustified privilege expansion. In a CI/build environment, shell access can reveal credentials, source code, environment variables, or allow tampering with artifacts and infrastructure, making compromise or accidental damage much more likely.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documentation explicitly includes a script that logs into a web terminal and allows execution of arbitrary shell commands, which materially expands the skill from read-only troubleshooting into interactive remote command execution. In the context of a troubleshooting skill, this creates a dangerous capability boundary violation: an agent or user following the docs could run destructive or unauthorized commands against container environments.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file implements an interactive remote terminal client that allows users to send commands to a remote environment, which is materially broader than the stated skill purpose of pipeline troubleshooting and recommendation generation. In this skill context, embedding shell access increases the risk of unauthorized operational actions, data exposure, and abuse of agent capabilities beyond expected analysis functions.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The interactive_mode() path sends user-entered commands over the WebSocket to a remote terminal, creating a remote command execution channel unrelated to passive pipeline failure analysis. Even with an allowlist, commands like cat, find, env, and grep can disclose secrets, configuration, source code, and environment details from the target system.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The user-facing text claims only 'cat, cd, ls, pwd' are allowed, but the actual allowlist also permits find, env, grep, and which. This mismatch can mislead users and reviewers about the tool's true capabilities, reducing informed consent and obscuring potentially sensitive information-gathering behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instructions permit shell command execution on the build machine and only prohibit upload commands, which is far too narrow a safeguard. Without explicit warnings, approval gates, or command restrictions, an agent could run destructive or sensitive commands that alter the build environment, expose credentials, or affect deployed artifacts under the guise of troubleshooting.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to connect to a live build machine through a terminal and execute shell commands for troubleshooting. In a CI/CD context, that machine may expose source code, environment variables, credentials, tokens, and internal network access; the guidance lacks strong safety constraints beyond prohibiting uploads, which does not prevent destructive commands, secret disclosure, or unsafe exploration.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions tell the agent to connect to a terminal and execute shell commands on the build machine, but they do not provide a clear user-facing warning about risks such as state changes, secret exposure, or service disruption. In a troubleshooting context, users may reasonably expect passive analysis, so the lack of explicit warning increases the chance of unsafe or non-consensual actions.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The documentation references passing a personal access token on the command line or via environment variable without any security guidance. While common in internal tooling docs, this can encourage unsafe credential handling practices such as shell history leakage, accidental log exposure, or reuse of overprivileged tokens.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The markdown instructs the agent to access a live build machine and run shell commands without clear user-facing risk disclosure, approval boundaries, or technical safeguards. In this skill context, the target environment is a CI/CD build host that may contain source code, credentials, deployment artifacts, and network reachability to internal systems, making unauthorized or overbroad command execution especially dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal