Back to skill

Security audit

Alibabacloud Agentloop Management

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Alibaba Cloud AgentLoop onboarding, but it asks for broad cloud and cluster authority and includes an unsafe remote script execution path.

Install only if you are comfortable giving the agent Alibaba Cloud and Kubernetes onboarding authority. Use a least-privilege RAM profile, avoid granting wildcard CMS or broad kubeconfig access unless required, do not run curl-to-bash installers without inspecting and verifying them, and treat LicenseKey/authToken values as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file declares `cms` API access with `apiName: "*"`, which grants the skill an effectively unrestricted CMS API surface despite the skill metadata describing a much narrower AgentLoop/APM onboarding purpose. This kind of scope mismatch creates an over-privileged integration that could be abused to invoke unrelated monitoring APIs, increasing blast radius and enabling unintended actions beyond probe installation or onboarding.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly recommends piping a remotely fetched script directly into bash for OpenClaw/CoPaw/Hermes installation. In an agent skill context, this is dangerous because it encourages execution of unauthenticated remote code and the script is passed sensitive onboarding parameters such as license keys and endpoints, creating both code execution and credential exposure risk.

Credential Access

High
Category
Privilege Escalation
Content
## Scope

Guided workflow to onboard server-side applications into AgentLoop application observability. Uses `aliyun cms2` CLI to initialize APM infrastructure and retrieve access credentials, then generates configuration for the user's specific language and deployment method.

**In-Scope**: Initialize APM infra, retrieve LicenseKey/Endpoint, register app services, generate startup configuration for all supported languages, **auto-modify K8s Deployment YAML** (with user confirmation) via `aliyun cs` + `kubectl`.
Confidence
95% confidence
Finding
access credentials

Credential Access

High
Category
Privilege Escalation
Content
"cms:GetCloudResourceData",
 "sts:GetCallerIdentity",
 "cs:DescribeClusters",
 "cs:DescribeClusterUserKubeconfig"
 ],
 "Resource": "acs:cms:*:<accountId>:*"
 },
Confidence
84% confidence
Finding
Kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
"Effect": "Allow",
 "Action": [
 "cs:DescribeClusters",
 "cs:DescribeClusterUserKubeconfig"
 ],
 "Resource": "*"
 }
Confidence
88% confidence
Finding
Kubeconfig

External Script Fetching

High
Category
Supply Chain
Content
- Version too old or unrecognized -> 
 1. Run `aliyun upgrade --help` to test whether the `upgrade` subcommand exists.
 - Available -> run `aliyun upgrade -y` to update to the latest version automatically, then re-check `aliyun version`.
 2. If `upgrade` not available -> run `curl -fsSL --connect-timeout 10 --max-time 300 https://aliyuncli.alicdn.com/setup.sh | bash`, then re-check `aliyun version`.
 3. If upgrade succeeded -> go to step 3.
 4. If upgrade failed -> ask the user to upgrade manually: <https://help.aliyun.com/zh/cli/update-cli>. Stop and exit.
Confidence
98% confidence
Finding
curl -fsSL --connect-timeout 10 --max-time 300 https://aliyuncli.alicdn.com/setup.sh | bash

External Script Fetching

High
Category
Supply Chain
Content
### OpenClaw / CoPaw / Hermes

- Each framework provides a dedicated installer script (`curl -fsSL ... | bash`) that installs the corresponding observability plugin.
- Pass parameters via `--x-arms-license-key`, `--serviceName`, and `--endpoint`.
- Only the `opentelemetry` protocol is supported. Render output from the addon template.
Confidence
98% confidence
Finding
curl -fsSL ... | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.