Back to skill

Security audit

Alibabacloud Ai Innovation Lab Skill

Security checks across malware telemetry and agentic risk

Overview

The skill's core recommendation feature is coherent, but it also includes persistent subscription memory, recurring task creation, and environment-token handling that deserve review before installation.

Install only if you are comfortable with a skill that can fetch Aliyun project data, remember subscription status, and help create recurring recommendation jobs. Review the cron and token-handling sections carefully, and avoid allowing it to inspect or pass environment tokens unless you explicitly need that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, performs network fetches, and writes files or instructs users to do so, yet no corresponding permissions are declared. This breaks least-privilege expectations and can cause the host agent to execute capability-bearing actions that reviewers or users would not infer from the manifest alone.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The manifest presents the skill as a simple recommendation/deployment guide, but the instructions expand behavior into data scraping, offline parsing, fallback data sources, filtering, sorting, and file output. That mismatch undermines informed consent and reviewability, and it hides materially different execution behavior behind a benign description.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The metadata says the skill should directly output a template and avoid external-platform lookup, but the body requires live fetching from external URLs and an OSS snapshot. This inconsistency can bypass policy assumptions about offline or deterministic behavior and introduces supply-chain and content-trust risk from remote resources.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill adds cross-session memory search/write for subscription-state tracking, which is unrelated to the core purpose of recommending deployable AI projects. Storing longitudinal user state increases privacy exposure and enables profiling or repeated outreach behavior beyond what users would reasonably expect from this skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs creation of scheduled tasks and cron-based recurring execution, including platform-specific and system-cron fallback behavior. Persistence and autonomous re-execution materially increase risk because the skill can continue making network requests and producing outputs after the initial interaction.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file expands a narrowly scoped AI Innovation Lab recommendation/deployment skill into generic scheduled-task orchestration guidance for multiple unrelated agent platforms. That broader operational scope can cause an agent to perform persistent automation or cross-platform actions that were not necessary for the advertised purpose, increasing the chance of unintended task creation and abuse of ambient tool privileges.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The OpenClaw section instructs the agent to inspect the `GATEWAY_TOKEN` environment variable and conditionally propagate it into commands or headers. Reading and reusing credentials is sensitive behavior unrelated to simple project recommendation, and if followed by an agent with tool access it could expose or misuse authentication material across execution contexts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The text explicitly tells the agent to check a sensitive environment variable without prior user warning or consent. Even if the token is not printed literally, accessing credential-bearing environment state violates least privilege and can lead to unauthorized secret use, propagation into subprocesses, or accidental disclosure in logs and command history.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/fetch_ai_lab.py:134