Back to skill

Security audit

Alibabacloud Bailian Rag Knowledgebase

Security checks across malware telemetry and agentic risk

Overview

This retrieval skill can automatically install an Alibaba CLI plugin and create, store, or delete Alibaba Cloud API keys, so users should review it before installing.

Install only if you intend to let this skill use your Alibaba Cloud CLI profile and manage DashScope API keys. Prefer supplying DASHSCOPE_API_KEY yourself and avoid granting CreateApiKey/DeleteApiKey permissions unless you want the skill to provision and revoke keys. Review ~/.aliyun/config.json after use and be aware the plugin install path uses a pre-release CLI plugin flag.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Auto-install ModelStudio plugin if missing."""
    try:
        print("Installing ModelStudio plugin...", file=sys.stderr)
        result = subprocess.run(
            ["aliyun", "plugin", "install",
             "--names", "aliyun-cli-modelstudio", "--enable-pre"],
            capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["aliyun", "plugin", "install", "--names", "aliyun-cli-modelstudio", "--enable-pre"], capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
workspace_id = _get_workspace_id()

    try:
        result = subprocess.run(
            ["aliyun", "modelstudio", "create-api-key",
             "--region", "cn-beijing",
             "--workspace-id", workspace_id,
Confidence
97% confidence
Finding
result = subprocess.run( ["aliyun", "modelstudio", "create-api-key", "--region", "cn-beijing", "--workspace-id", workspace_id, "--description

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}

    try:
        result = subprocess.run(
            ["aliyun", "modelstudio", "delete-api-key",
             "--region", "cn-beijing",
             "--api-key-id", api_key_id,
Confidence
94% confidence
Finding
result = subprocess.run( ["aliyun", "modelstudio", "delete-api-key", "--region", "cn-beijing", "--api-key-id", api_key_id, "--user-agent", _g

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The module creates, stores, and deletes Alibaba Cloud API keys locally and remotely, which materially exceeds the manifest's stated knowledge-base retrieval behavior. This is dangerous because it gives the skill credential-management powers that can silently expand, persist, or revoke access in the user's cloud account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill auto-installs an Alibaba CLI plugin, altering the local execution environment despite being described as an HTTPS knowledge-base retrieval tool. This introduces unnecessary supply-chain exposure and violates least surprise by changing system state without clear user approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code manages local CLI state and credentials via subprocesses rather than limiting itself to remote retrieval requests. In skill context, this is more dangerous because users would not expect a retrieval helper to inspect or modify local cloud tooling and account configuration.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The documentation understates behavior by implying local API key management, while the implementation also attempts remote cloud deletion. Misleading documentation is dangerous in this context because it can cause users or reviewers to underestimate destructive cloud-side actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
When no key is found, the code automatically creates a new cloud API key and persists it without prior confirmation. This is dangerous because it performs an external privileged action and leaves a new credential on disk, which users may neither expect nor monitor.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill may automatically install a CLI plugin as part of normal operation without a separate warning or approval step. That is unsafe because it changes the host environment and introduces new executable code beyond the user's likely expectations for a retrieval skill.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The deletion path removes local credentials and may also delete the cloud API key without an explicit confirmation checkpoint. In this skill context, that creates a surprising destructive action that can cause denial of access and operational disruption.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.