Back to skill

Security audit

Alibabacloud Data Agent Skill

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its Alibaba Cloud data-analysis purpose, but it needs Review because it combines enterprise data access with broad local logging, background workers, and under-disclosed outbound notification paths.

Install only after reviewing the notification and logging behavior. Use least-privilege Alibaba Cloud RAM credentials, do not use broad managed DMS policies for routine work, avoid setting ASYNC_TASK_PUSH_URL unless the destination is approved, disable or ignore HEARTBEAT-style external notifications for sensitive sessions, and treat everything under sessions/ as sensitive because it can contain prompts, progress logs, reports, and generated files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The HEARTBEAT workflow explicitly instructs the skill to push session progress, milestones, and results to users via send_message or external channels such as Telegram/WhatsApp. That creates unsolicited outbound messaging behavior beyond the core data-analysis function and can leak analysis context or sensitive operational details without a fresh user action or clear consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The formatter is not purely rendering text: it decodes attacker-controlled base64 image data from analysis output and writes it to disk. In a CLI skill that processes remote agent responses, this expands the trust boundary and can be abused for unintended file creation, disk consumption, and persistence of untrusted content on the local machine, even if the written path is constrained under an output directory.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements OpenClaw/Clawdbot session discovery and outbound message pushing, behavior unrelated to the stated Alibaba Cloud data-analysis purpose of the skill. In an agent skill, hidden cross-session messaging can exfiltrate prompts, analysis results, or metadata to external chat channels and creates an unauthorized communication path that materially increases abuse potential.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code adds external notification delivery and CLI-based control over chat sessions without a clear relationship to data querying or analytics. In this skill context, that mismatch is suspicious because it broadens the attack surface and enables side-channel data transfer or covert operator messaging not implied by the skill description.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The fallback debug path writes diagnostic text to a hard-coded file in /tmp, which can expose operational details or sensitive streamed content outside the configured output directory and logging controls. Using a shared world-accessible temporary location increases the chance of unintended disclosure on multi-user systems and makes retention harder to manage.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The method claims to download by file ID but instead performs a raw GET to a hard-coded placeholder URL pattern, bypassing the service's normal metadata or signed-URL retrieval flow. This can cause incorrect trust assumptions, break authorization expectations, and encourage unsafe direct object access patterns if a real endpoint were substituted without proper validation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger guidance includes broad natural-language phrases such as generic data analysis or database query wording, which can cause the skill to be selected in situations where the user did not intend to invoke a cloud-connected database tool. Accidental invocation is risky here because the skill can use credentials, access managed data resources, and initiate remote analysis sessions or file handling with enterprise data context.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The credential setup section instructs users to export cloud API keys and rely on credential chains but does not clearly warn about the sensitivity of these secrets, storage hygiene, shell history leakage, or least-privilege IAM practices. In a skill that can access enterprise databases and workspaces, weak credential guidance materially increases the risk of account compromise or overbroad access if secrets are mishandled.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions direct the agent to send proactive notifications through external messaging channels without any user-visible warning, consent flow, or disclosure of what session data may be transmitted. In a data-analysis skill handling enterprise database outputs, even status summaries or milestone updates may contain sensitive business information, so silent outbound sharing is risky.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The import command can change Data Agent state by importing database tables into the Data Center, yet the reference does not clearly warn that this is a potentially impactful operation requiring explicit user consent and awareness of governance implications. In an enterprise database-analysis skill, understated state-changing behavior is more dangerous because users may expect read-only discovery and analysis, leading to unintended ingestion of sensitive schemas or data resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to create an Alibaba Cloud AccessKey for authentication but does not warn that AccessKeys are long-lived secrets that can grant broad API access if exposed. In a skill that interacts with DMS and enterprise databases, omission of credential-handling guidance increases the risk of users storing keys insecurely, sharing them in plaintext, or overusing persistent credentials where safer short-lived alternatives may exist.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow documents a non-interactive import operation using `--yes`, which suppresses confirmation for an operation that can change the Data Agent/Data Center state by importing database metadata or tables. In an agent skill context, users may copy commands verbatim, so the lack of an explicit warning about scope, source validation, and side effects increases the chance of unintended data onboarding or analysis against the wrong database.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The function captures the full stdout/stderr of a subprocess and writes it to a session file without any filtering, minimization, or disclosure controls. In a data-analysis skill that may interact with enterprise databases, subprocess output can include query results, credentials, tokens, schema details, or other sensitive operational data, creating a meaningful risk of sensitive data exposure through local logs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code prints discovered session identifiers and later logs target session information, exposing sensitive identifiers in stdout/stderr logs. Session IDs can enable correlation, targeting, or misuse of chat sessions, especially in shared CI/agent environments where logs may be centrally collected or accessible to other operators.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Logging the full ASYNC_TASK_PUSH_URL may reveal internal hostnames, API paths, tenant identifiers, or other infrastructure details that aid reconnaissance. In agent environments, central log aggregation can turn such prints into unintended disclosure to broader audiences.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function sends arbitrary message content and session metadata to a configurable external URL, creating a straightforward exfiltration path for potentially sensitive data produced by the agent. The danger is amplified by the skill context because the feature is unrelated to Alibaba Cloud data analysis and could silently forward database-derived insights or user prompts off-platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code extracts and logs the user's query verbatim, and elsewhere diagnostic output is persisted to progress logs. In a data-analysis/database context, user queries often contain sensitive business questions, schema names, identifiers, or even secrets, so echoing and storing them without warning, redaction, or consent creates a meaningful data-exposure risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This code downloads remote content and writes it directly to an arbitrary local path with no validation of destination, filename safety, content type, or size limits. In a skill context that bridges remote services and local execution environments, this increases the risk of overwriting sensitive files, storing unexpected content, or facilitating follow-on abuse if callers pass unsafe paths.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The async downloader reads remote content and writes it directly to the provided local path without path restrictions, content validation, or size controls. In an agent skill that may process untrusted remote URLs or service-generated links, this can enable unsafe file writes and storage of malicious or excessive data on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints the full API response body to stdout, and in debug mode it pretty-prints the entire response object without redaction. Even though this is a standalone verification utility, response bodies can contain tenant identifiers, request metadata, routing/unit information, or future API fields that may be sensitive; these values can be exposed in terminal history, CI logs, or shared troubleshooting output.

Ssd 3

Medium
Confidence
96% confidence
Finding
The HEARTBEAT logic tells the agent to read progress logs, reports, and error logs, then relay their contents in plain language to the customer or external messaging channels. Because this skill operates on enterprise database analysis sessions, those files may contain schema details, query intent, business metrics, failure traces, or report contents, making proactive transmission a meaningful data-disclosure risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
Echoing user queries in plain language and feeding them into the broad logging path creates a realistic leakage channel for sensitive user-provided data. Because this skill is designed for enterprise database analytics, queries may reference internal datasets, business metrics, customer information, or credentials pasted by mistake, making this context more dangerous than a generic chat tool.

Ssd 3

Medium
Confidence
95% confidence
Finding
The diagnostic logging functions write arbitrary streamed content to progress logs and structured logs, including model outputs, tool responses, and potentially database-derived content. In an enterprise analytics setting, those outputs may include proprietary data, query results, or sensitive operational details, so broad plaintext logging materially increases the risk of at-rest disclosure and unintended access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.