Security audit

Alibabacloud Cloudfw Vpc Firewall Diagnosis

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed read-only Alibaba Cloud firewall diagnostic helper, with no artifact-backed evidence of hidden writes, exfiltration, or destructive behavior.

Install only if you are comfortable letting the agent query the selected Alibaba Cloud profile for firewall, network, ACL, and recent ActionTrail data. Use a read-only RAM policy as documented, avoid broad admin profiles, do not paste AccessKey secrets into chat, and verify that CLI AI-Mode is disabled after the diagnostic workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: This is a mismatch because the description materially overstates the skill's scope compared with the actual code. The implemented scripts focus on closure pre-checks and route rollback/revoke risk analysis: comparing transit router route tables, filtering Cloud Firewall auto-created routes, checking ACL policy counts, and reporting post-closure route-loss risks. The code does not contain logic to troubleshoot VPC firewall provisioning failures, route policy configuration failures, or firewall status stuck in configuring. It also does not use VPC or ActionTrail APIs, and STS is only mentioned in the shell whitelist rather than being part of the implemented diagnostic flow. While the closure pre-check portion of the description matches well, the broader declared purpose does not accurately represent what the code actually does.

Unvalidated Output Injection

High

Category: Output Handling
Content: print(f"Error: run_cli only accepts a list[str], got {type(argv).__name__}") sys.exit(1) try: result = subprocess.run(argv, shell=False, capture_output=True, text=True, timeout=30) if result.returncode != 0: print(f"Error: command failed: {result.stderr}") sys.exit(1)
Confidence: 95% confidence
Finding: subprocess.run(argv, shell=False, capture_output

Direct Prompt Extraction

High

Category: System Prompt Leakage
Content: - Use OpenAPI read-only queries for current state. - Treat `ErrorDetail` and recent ActionTrail evidence as stronger than precheck-only results. ## Output Rules - Put the conclusion first. - Keep evidence concise.
Confidence: 26% confidence
Finding: Output Rules

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal