Back to skill

Security audit

Alibabacloud Error Troubleshoot

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Alibaba Cloud troubleshooting guide that uses the Aliyun CLI to inspect API failure logs and fetch error-code solutions, with no evidence of deception, exfiltration, or destructive behavior.

Install this only if you intend to troubleshoot Alibaba Cloud API calls with your configured Aliyun CLI profile. Be aware that request logs may include account identifiers, caller IPs, request parameters, and response bodies; avoid sharing raw logs broadly and redact sensitive details when reporting results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill hard-codes `--accept-language zh-CN` in the solution lookup command without checking the user's language preference. This can cause diagnostic guidance to be returned in a language the user cannot read, leading to operator error or missed remediation during incident response, but it does not by itself expose secrets or enable code execution.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow explicitly instructs retrieval and analysis of request logs containing sensitive metadata such as account IDs, master account IDs, caller IPs, request parameters, and response bodies, but provides no warning to minimize, redact, or avoid exposing that data in the agent's output. In an LLM-driven support workflow, this creates a realistic risk of oversharing sensitive operational and identity data back to the user, into transcripts, or into downstream systems beyond what is necessary for troubleshooting.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.