Back to skill

Security audit

Alibabacloud Ecs Vpc Publicnetwork Troubleshoot

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed Alibaba Cloud troubleshooting tool, but it persists cloud credentials locally and gives manual remediation advice that can weaken or change network security controls.

Install only if you are comfortable with the skill reading Alibaba Cloud credentials from standard sources and writing them to scripts/.sts_cache.json. Use a narrowly scoped read-only RAM role or temporary STS credentials, delete the cache after use, and treat any suggested firewall, route, NAT, SNAT, security-group, or gateway changes as manual recommendations that need human review and a rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly requires shell execution, environment-variable use, and local file read/write, including writing credentials to `scripts/.sts_cache.json`, but it declares no corresponding permissions. This creates a capability/permission mismatch that can bypass operator expectations and increases the risk of unintended credential exposure or unauthorized local side effects when the skill runs.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
These templates go beyond diagnosis and instruct users to create or delete network resources and alter security-relevant controls, including NAT gateways, routes, and IPv4 gateway settings. In an agent skill advertised as troubleshooting connectivity, this can cause unintended infrastructure changes, outages, cost impact, or weakened network posture if the diagnosis is wrong or incomplete.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill recommends disabling Cloud Firewall protection as a troubleshooting step, which weakens a security boundary and exceeds the manifest's stated scope of diagnosing connectivity failures. If followed automatically or uncritically, this could expose public IPs or SNAT EIPs to hostile internet traffic and reduce defense-in-depth during an active issue.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads cloud credentials from a local .sts_cache.json file as an implicit fallback, expanding the trust boundary beyond standard credential providers. In an agent-skill context, this can cause unintended cross-tenant or stale credential use and may let the script operate with privileges the current user did not explicitly authorize.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring promises operation only on a single user-confirmed resource, but the implementation does not enforce that policy and also performs related account-level and network-level queries. In an agent environment, this mismatch can lead to over-collection of sensitive metadata beyond the user's intended diagnostic scope.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script is a credential acquisition and STS role-assumption utility, which is materially broader than the declared skill purpose of troubleshooting ECS/VPC public-network connectivity. In a troubleshooting skill, code that gathers cloud credentials and prepares them for downstream reuse expands access far beyond diagnostics and creates an unnecessary secret-handling surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code persists access keys, secret keys, and session tokens to a local cache file for reuse across executions and UIDs. For a network-diagnosis skill, local secret caching is unjustified and increases the blast radius of host compromise, accidental disclosure, or cross-task credential reuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script loads Alibaba Cloud credentials from a local .sts_cache.json file, expanding its credential sources beyond standard environment/default-chain behavior. This increases the chance of unintended cross-account access or use of stale/high-privilege credentials, especially for a troubleshooting skill that is supposed to operate only within the user's confirmed scope.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The script claims it should run only against the single user-specified resource, but it performs account-level checks such as GetCallerIdentity and account balance queries unrelated to the provided VSwitch. That broadens data access beyond the declared scope and can expose sensitive account metadata during what should be resource-scoped diagnostics.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly states that STS or access credentials are written to a local cache file (`.sts_cache.json`) but does not require file permission hardening, encryption, secure deletion, or warnings about multi-user hosts and workspace leakage. Even temporary cloud credentials on disk can be exfiltrated by other local users, build agents, log collectors, or accidental commits, enabling unauthorized read access to cloud metadata and potentially broader environment exposure.

Credential Access

High
Category
Privilege Escalation
Content
## Step 3: Invoke Scenario Script

After successfully obtaining access credentials, invoke the corresponding automation script based on user-selected scenario.

> **Credential Passing**: After Step 2, `sts_create.py` writes credentials to a local cache (`scripts/.sts_cache.json`), and all business scripts read them automatically. **Scripts do NOT accept `--access-key-id` or similar parameters.** **Never export or echo plaintext AK/SK/STS token on the command line** — doing so exposes sensitive credentials in the execution log.
Confidence
81% confidence
Finding
access credentials

Credential Access

High
Category
Privilege Escalation
Content
def main():
    parser = argparse.ArgumentParser(
        description="Get Alibaba Cloud access credentials (for customer self-service use)",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Examples:
Confidence
97% confidence
Finding
access credentials

Session Persistence

Medium
Category
Rogue Agent
Content
def save_credentials_to_cache(uid: str, result: dict):
    """
    Write credentials to local cache. Multi-UID coexistence:
    - Overwrite/add entry for current UID, keep other UIDs unchanged
    - Also clean up expired entries for other UIDs
    """
    if not result.get('success') or not uid:
Confidence
98% confidence
Finding
add entry for

Session Persistence

Medium
Category
Rogue Agent
Content
CACHE_EXPIRY_BUFFER = 60


# ---------------- Cache Read/Write ----------------

def _read_cache_file() -> dict:
    """
Confidence
93% confidence
Finding
Write ---------------- def _read_cache_file() -> dict: """ Read cache file, normalize to: {"last_active_uid": "<uid>", "credentials": {"<uid>": {...}}} Compatible with old single-

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.