Back to skill

Security audit

Alibabacloud Ecs Diagnose

Security checks across malware telemetry and agentic risk

Overview

This ECS diagnostics skill is transparent about Alibaba Cloud troubleshooting, but it mixes diagnostics with high-impact remediation and remote command execution without enough scoped guardrails.

Install only if you are comfortable giving the agent Alibaba Cloud diagnostic access and, for deep diagnostics, permission to run commands on ECS instances. Prefer the read-only RAM policy first, use a dedicated least-privilege role, keep Cloud Assistant execution disabled unless needed, and require explicit review before any firewall, EIP, instance lifecycle, password, reboot, or guest OS command is run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file documents `authorize-security-group` and `revoke-security-group`, which are state-changing commands that alter network access rather than merely inspect or diagnose ECS state. In a diagnostics skill, including write-capable security group operations expands the skill from observation into infrastructure modification, increasing the risk of accidental exposure, lockout, or misuse if the agent invokes these commands during troubleshooting.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The stated skill purpose is ECS diagnostics and troubleshooting, but these examples grant and revoke firewall access, which is a privileged remediation action not clearly justified by the documented scope. That mismatch is dangerous because agents often generalize from available examples; exposing these commands in a diagnostic skill can normalize unsafe network changes during routine incident handling.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This guide is framed as diagnostics, but it includes direct state-changing actions such as modifying security groups, allocating/binding EIPs, starting instances, resetting passwords, and rebooting systems. In an agent skill, combining troubleshooting with recovery actions materially increases the risk of unauthorized changes, outages, expanded exposure, and credential disruption if the workflow is executed too eagerly or with weak confirmation controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide authorizes arbitrary remote command execution on guest OS instances via Cloud Assistant, which gives the agent a powerful execution channel inside customer systems. If misused, prompted adversarially, or combined with insufficient validation, this can lead to data access, persistence, service disruption, or full host compromise under the instance's privileges.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guide instructs the agent environment to perform direct network probing and login attempts using tools like nc, telnet, and ssh. That creates an outbound network interaction surface from the agent runtime, which may violate environment boundaries, leak metadata, trigger unintended authentication attempts, or be repurposed for scanning behavior beyond the intended target.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document shows users how to configure long-lived access keys and then displays the resulting config structure containing access_key_id and access_key_secret in plaintext, without an immediate warning that these secrets are stored locally and may be exposed through screen sharing, logs, shell history, backups, or permissive file access. In an agent-oriented skill, this is more dangerous because users may copy real credentials into commands verbatim and assume the workflow is safe for automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented 'Full Diagnostics Policy' includes `ecs:RunCommand`, which enables remote command execution on ECS instances via Cloud Assistant. In a diagnostics skill this capability can be legitimate, but the file does not prominently warn that enabling deep diagnostics grants active execution privileges rather than read-only inspection, which raises the risk of unintended privilege expansion or misuse by operators who assume the policy is non-invasive.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The add/remove security group examples show how to open SSH or HTTP access and revoke rules, but they do not warn that these actions can immediately expose services to the internet or cut off legitimate access. Without explicit safety messaging, users or agents may treat them as routine diagnostic steps and make high-impact network changes without understanding rollback or blast radius.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Cloud Assistant `run-command` examples demonstrate remote execution on ECS instances, including parameterized scripts and multi-instance targeting, but omit any warning that these commands execute code on production systems. In the context of an agent skill, that omission increases the chance of unsafe execution, lateral impact across multiple hosts, or running unreviewed commands under the guise of diagnostics.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The password reset and reboot procedure lacks an immediate, localized warning that credentials will rotate and that a reboot can interrupt service. In operational automation, missing just-in-time warnings can cause accidental lockouts, break dependent applications, and create availability incidents even when the action is authorized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Presenting remote command execution without a local warning understates the risk of executing code on the target instance. Users and downstream agents may treat it as a routine diagnostic step, increasing the chance of harmful commands being run without understanding privilege, persistence, or service impact.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.