Back to skill

Security audit

Alibabacloud Cadt Arch Draw

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do its stated Alibaba Cloud diagramming job, but its setup guidance includes risky installer commands and recommends overly broad cloud permissions for a drawing-only workflow.

Review this before installing. Prefer a package-manager or checksum/signature-verified Aliyun CLI installation instead of the curl-to-bash command, disable automatic plugin installation unless you need it, and use the listed per-product read-only RAM policies where possible rather than granting PowerUserAccess to a drawing-only workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation instructs users to pipe a remotely fetched script directly into bash, which executes whatever the server returns without inspection, integrity verification, or pinning. If the hosting endpoint, network path, or upstream distribution is compromised, users could run arbitrary code on their machines during installation.

External Script Fetching

High
Category
Supply Chain
Content
brew install aliyun-cli

# Universal
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

# Post-install
aliyun configure set --auto-plugin-install true
Confidence
99% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
brew install aliyun-cli

# Universal
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

# Post-install
aliyun configure set --auto-plugin-install true
Confidence
98% confidence
Finding
| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.