Security audit

Alibabacloud Ecs Install Extension

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for Alibaba Cloud ECS extension installation, but it can change cloud instances and includes under-scoped defaults and credential guidance that users should review carefully.

Install only if you intend to let an agent manage Alibaba Cloud ECS/OOS extensions for specific instances. Use a least-privilege RAM role or short-lived credentials, avoid entering AccessKeys in chat or shell history, verify the exact region, instance IDs, package name, and parameters, and do not allow a second OOS execution when a matching one is already running unless you explicitly want that.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to retrieve and store the full OOS template content, which may include large embedded installation scripts and internal implementation details not required for basic parameter discovery. Expanding data access beyond the minimum necessary increases exposure to sensitive or dangerous script content and creates unnecessary local persistence in /tmp, which could be reused, leaked, or misinterpreted by downstream tooling.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Mandating a global CLI plugin update modifies the user's execution environment before performing the requested task and can introduce unreviewed code changes or version drift. This exceeds the narrow scope of installing an ECS extension and creates supply-chain and operational risk if the update pulls unexpected plugin behavior.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: Requesting `bss:DescribeOrderDetail` introduces billing visibility unrelated to listing or installing ECS extensions, violating least privilege. Unnecessary financial or account metadata access broadens the blast radius if the skill is misused or if its execution context is compromised.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: Broad triggers such as generic terms like "install", "Python", or "package" can cause the skill to activate in contexts unrelated to ECS extension management. Because this skill performs environment-changing operations, accidental invocation increases the chance of unintended cloud actions or confusing routing into privileged workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide instructs users to pass long-lived cloud credentials directly on the command line and to export them as environment variables. Those practices can expose secrets through shell history, process listings, CI logs, shared terminals, or inherited environments, which is especially risky in an automation-oriented skill handling cloud administration.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.