Back to skill

Security audit

Alibabacloud Alinux Sysom Inspection

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Alibaba Cloud SysOM inspection tool whose sensitive actions fit its purpose and require user-directed execution or confirmation.

Install only if you intend to let the skill use Alibaba Cloud credentials for SysOM operations. Prefer a least-privilege RAM policy, pass --instance-id to avoid broad instance listing, review prompts before allowing SysOM activation or agent installation, and use --disable-memgraph-diagnosis if automatic memory diagnosis is not desired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation describes capabilities that include environment use, file operations, and network/API access, but no explicit permissions are declared. This creates a trust and governance gap: operators cannot accurately assess what the skill may access, and a skill with activation, installation, and diagnostic actions could perform unintended changes or data access without clear prior authorization boundaries.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The inspection command does more than observe system state: when SysOM is not ready it can prompt for activation, call InitialSysom with check_only=false, and install an agent on the target instance. That changes cloud-side service state and deploys software to instances, which is a privileged side effect that exceeds a typical 'inspection' expectation and could be abused or triggered unexpectedly in automation or by an over-trusting operator.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
If no instance ID is supplied, the command enumerates all instances in the region and presents them for interactive selection. This broadens data exposure beyond the requested target, potentially revealing instance identifiers, names, and managed state to whoever can run the skill, and it increases blast radius by enabling accidental inspection of the wrong instance.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The trigger keywords include broad operational terms such as 'inspection', 'instance diagnosis', and 'memory usage', which can match many routine admin conversations. That increases the chance of accidental invocation of a skill that performs network calls and may initiate activation, installation, or automated diagnosis flows, making unintended execution more likely in a sensitive ops context.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The CLI surface describes inspection and diagnosis options but does not clearly advertise that the workflow may activate SysOM and install an agent when prerequisites are missing. Even though there is an interactive prompt later, the lack of upfront warning in the interface and help text creates a consent and expectation gap that can lead to unintended privileged changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_resource_identifier

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
scripts/sysom_cli/lib/auth.py:43