Back to skill

Security audit

Alibabacloud Emr Cluster Manage

Security checks across malware telemetry and agentic risk

Overview

This skill can manage Alibaba Cloud EMR clusters, but it combines broad cloud-changing authority with risky CLI install and update instructions that users should review first.

Install only if you intend to let an agent operate Alibaba Cloud EMR with the active aliyun account. Prefer a dedicated least-privilege RAM role or short-lived STS token, preinstall and approve the CLI/plugins outside the skill instead of using curl-to-bash or automatic plugin updates, and avoid putting real database passwords in command lines or chat transcripts. Review every write action for cost and production impact before confirming it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata explicitly states it does not support deletion, release, or termination under any circumstances, yet the reference documents destructive operations such as DecreaseNodes and RemoveAutoScalingPolicy. Even though these are not full cluster deletion APIs, they enable irreversible capacity reduction and policy removal, creating a mismatch that can cause an agent to perform destructive actions the user and platform believe are disallowed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill manifest explicitly says cluster deletion, release, or termination is unsupported, yet this document includes deletion-state handling and operational guidance around termination outcomes. That mismatch is dangerous because an agent may infer deletion is in-scope and assist with destructive lifecycle operations the skill is supposed to refuse.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The title and table of contents advertise 'full lifecycle' coverage, which strongly implies end-to-end management including destruction, conflicting with the skill's stated no-deletion restriction. In an agent setting, scope ambiguity is itself risky because routing and planning layers may authorize destructive requests based on documentation claims rather than the manifest.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The quick-start claims the workflow includes 'cleanup resources' even though the skill metadata explicitly says deletion, release, or termination are not supported under any circumstances. This mismatch can mislead users into expecting destructive lifecycle help from the skill and may cause unsafe guidance drift or policy bypass attempts around cluster teardown, especially because cluster cleanup in cloud environments has billing and availability consequences.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The document advertises a cleanup step but provides no supported cleanup procedure consistent with the manifest's prohibition on deletion or termination. That inconsistency can confuse users, increase operational mistakes, and encourage them to infer or request unsupported destructive actions from the agent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented RAM policy grants `emr:RemoveAutoScalingPolicy`, which is explicitly a deletion-capable, irreversible write action, even though the skill metadata says deletion/release/termination operations are not supported under any circumstances. This creates a dangerous mismatch between advertised behavior and granted privileges, increasing the chance that the agent or an attacker leveraging the skill can perform destructive changes outside the intended scope.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
Describing the skill as supporting 'full lifecycle management' broadens operator expectations and normalizes requesting expansive privileges, while the manifest simultaneously forbids deletion/termination behavior. Even if no direct delete-cluster action is listed here, this wording encourages over-privileged deployment and obscures the actual safety boundary of the skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The least-privilege section recommends a 'Full management' permission set that includes irreversible destructive capability (`DecreaseNodes`) and deletion-oriented policy removal, despite the skill's stated refusal to perform deletion/termination operations. In a cluster-management context, this is more dangerous because users are likely to apply the suggested policy verbatim to production infrastructure, granting broader mutating authority than the skill contract implies.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document establishes a mandatory safety control requiring operators to first display the existing auto-scaling policy and obtain explicit confirmation before calling RemoveAutoScalingPolicy, but the later delete section provides a direct deletion command without enforcing that prerequisite. This can lead an agent or operator to disable automatic capacity safeguards without adequate review, potentially causing service instability, missed scale-outs, or unexpected cost/performance consequences.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad trigger phrases like 'running out of resources' and 'check my cluster' can cause the skill to activate in contexts that are not clearly EMR-specific. In a high-privilege infrastructure skill, misrouting can lead to unintended queries or even changes against the wrong product or resource if disambiguation is skipped elsewhere in the stack.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs piping a remotely fetched script directly into bash, which is a classic supply-chain and remote-code-execution risk. If the remote host, transport, CDN path, or script content is compromised, the agent or user environment could execute attacker-controlled code with the caller's privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples invoke real cluster provisioning commands that create billable cloud resources, but they do not include an explicit warning that execution will incur charges and provision infrastructure. In an agentic environment, omission of this warning increases the chance of unintended resource creation, cost exposure, and accidental deployment into production-like networks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The clone workflow tells users to copy metadata into a new RunCluster request but does not warn that clone metadata may contain sensitive configuration such as database endpoints, usernames, passwords, VPC identifiers, and security settings. This can lead to credential reuse, secret disclosure in logs, or unsafe cross-environment duplication of privileged configuration.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The instruction "When encountering ANY error" is broader than the file's intended scope of EMR/API error handling and could cause the agent to apply EMR-specific recovery behavior to unrelated failures. In a lifecycle-management skill that can create, scale, and renew cloud clusters, overly broad recovery logic increases the chance of inappropriate retries, scope creep into unsupported situations, or misleading troubleshooting steps during sensitive infrastructure operations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:324