Back to skill

Security audit

Alibabacloud Finops Inspect

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only Alibaba Cloud cost inspection tool, but it should be run only with scoped cloud credentials because it enumerates account resources and metrics.

Install only if you intend to let the skill read Alibaba Cloud inventory, topology, billing attributes, and utilization metrics. Use a least-privilege read-only RAM user, prefer explicit --regions and --types for smaller scans, and treat generated reports as sensitive because they may include resource IDs, IPs, topology, and workload metrics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly relies on environment variables and local CLI credential configuration to obtain Alibaba Cloud AK/SK, but no permissions/capability declaration is present to signal that it reads sensitive execution context. That mismatch weakens reviewability and containment because operators may invoke the skill without realizing it can access privileged credentials from the environment.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill advertises idle-resource detection and utilization modes, but the implementation applies those modes inconsistently across resource inspectors. In particular, some inspectors skip checks when --idle-only is set, while others still emit non-idle observations, which can cause operators to miss genuinely billable idle assets or trust incomplete reports during cost-optimization actions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The inline comment claims special handling ensures correct behavior in all modes, but the surrounding logic does not consistently honor --idle-only semantics. This mismatch is dangerous because users may make financial or operational decisions based on a false assumption that the tool is checking the idle conditions it promises.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The document explicitly instructs callers to embed a session identifier in the HTTP User-Agent string. Even if the identifier is only for observability, it creates unnecessary metadata disclosure to every Alibaba Cloud API endpoint, intermediary logs, and support systems, which can enable cross-request correlation and internal activity tracking if the session ID is stable or otherwise linkable.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The tool automatically loads account credentials and performs account-wide enumeration and telemetry queries against Alibaba Cloud APIs without presenting a clear runtime warning or consent boundary. In a skill context, this can expose broad inventory metadata and usage patterns unexpectedly, especially when triggered by natural-language requests that may not make the scope of API access obvious to the user.

External Transmission

Medium
Category
Data Exfiltration
Content
First, the `alibabacloud-credentials` credential chain loads AK/SK in the following priority: environment variables → `~/.aliyun/config.json` → runtime prompt. Credentials live in memory only.

Next, call the [DescribeRegions](https://api.aliyun.com/api/Ecs/2014-05-26/DescribeRegions) API to obtain the list of regions enabled under the account. If the user passed `--regions`, that list is used instead.

**Multi-Region Concurrency**: Throttling is independent across regions, so the skill defaults to 3-5 concurrent requests across different regions to shorten total execution time. Within a single region, requests remain serial to avoid triggering Throttling.
Confidence
89% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. ECS Instance Inspection

Call the [DescribeInstances](https://api.aliyun.com/api/Ecs/2014-05-26/DescribeInstances) API with pagination (100 per page) to retrieve all ECS instances, collecting instance ID, instance type, billing method, creation/expiration time, status, etc.

For all `Running` instances, call CloudMonitor [DescribeMetricLast](https://api.aliyun.com/api/Cms/2019-01-01/DescribeMetricLast) (Namespace `acs_ecs_dashboard`) with daily aggregation (`Period=86400`) over 7 days to query the following metrics:
Confidence
89% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Call the [DescribeInstances](https://api.aliyun.com/api/Ecs/2014-05-26/DescribeInstances) API with pagination (100 per page) to retrieve all ECS instances, collecting instance ID, instance type, billing method, creation/expiration time, status, etc.

For all `Running` instances, call CloudMonitor [DescribeMetricLast](https://api.aliyun.com/api/Cms/2019-01-01/DescribeMetricLast) (Namespace `acs_ecs_dashboard`) with daily aggregation (`Period=86400`) over 7 days to query the following metrics:

- `CPUUtilization` (CPU utilization)
- `memory_usedutilization` (memory utilization, requires CloudMonitor agent)
Confidence
89% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
**Judgment Logic**: CPU < 5% AND memory < 10% AND network < 50 Kbps → "Critical Idle"; CPU < 10% OR memory < 20% → "Low Utilization".

**Additional Check**: Filter [DescribeInstances](https://api.aliyun.com/api/Ecs/2014-05-26/DescribeInstances) results for `Status=Stopped` AND billing method `PrePaid` to separately list "stopped but still billed" instances.

**Billing Optimization Check**: For `Running` + `PostPaid` instances with normal utilization (not idle or low-util), check creation time. If the instance has been running for more than 30 days, generate a P2 recommendation suggesting conversion to `PrePaid` (subscription) billing for approximately 30%-50% cost savings.
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### 3. RDS Instance Inspection

Call the [DescribeDBInstances](https://api.aliyun.com/api/Rds/2014-08-15/DescribeDBInstances) API with pagination (100 per page) to retrieve all `Running` RDS instances, collecting instance ID, engine type/version, instance class, billing method, instance role, etc.

For each instance, call [DescribeMetricLast](https://api.aliyun.com/api/Cms/2019-01-01/DescribeMetricLast) (Namespace `acs_rds_dashboard`) to query `CpuUsage` / `MemoryUsage` / `IOPSUsage` / `ConnectionUsage` metrics, using 7-day averages for judgment.
Confidence
89% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Call the [DescribeDBInstances](https://api.aliyun.com/api/Rds/2014-08-15/DescribeDBInstances) API with pagination (100 per page) to retrieve all `Running` RDS instances, collecting instance ID, engine type/version, instance class, billing method, instance role, etc.

For each instance, call [DescribeMetricLast](https://api.aliyun.com/api/Cms/2019-01-01/DescribeMetricLast) (Namespace `acs_rds_dashboard`) to query `CpuUsage` / `MemoryUsage` / `IOPSUsage` / `ConnectionUsage` metrics, using 7-day averages for judgment.

**Special Handling**: Instances with `PayType=Serverless` auto-scale to zero, which is normal behavior. They are excluded from judgment or flagged as "Serverless instance" rather than treated as waste.
Confidence
89% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
#### 4.1 EIP Idle Detection

Call the [DescribeEipAddresses](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeEipAddresses) API with pagination to retrieve all EIPs. `Status=Available` is directly judged as "unbound EIP" (P0). For `Status=InUse` EIPs, call [DescribeMetricLast](https://api.aliyun.com/api/Cms/2019-01-01/DescribeMetricLast) (Namespace `acs_vpc_eip`, MetricName `net_rx.rate` / `net_tx.rate`) to query 7-day traffic. All-zero traffic is judged as "bound but zero traffic" (P1).

#### 4.2 Cloud Disk Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
#### 4.1 EIP Idle Detection

Call the [DescribeEipAddresses](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeEipAddresses) API with pagination to retrieve all EIPs. `Status=Available` is directly judged as "unbound EIP" (P0). For `Status=InUse` EIPs, call [DescribeMetricLast](https://api.aliyun.com/api/Cms/2019-01-01/DescribeMetricLast) (Namespace `acs_vpc_eip`, MetricName `net_rx.rate` / `net_tx.rate`) to query 7-day traffic. All-zero traffic is judged as "bound but zero traffic" (P1).

#### 4.2 Cloud Disk Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
#### 4.2 Cloud Disk Idle Detection

Call the [DescribeDisks](https://api.aliyun.com/api/Ecs/2014-05-26/DescribeDisks) API with filters `Status=Available` AND `DiskType=data` (data disks only, excluding system disks) to retrieve all unmounted disks via pagination. Disks created more than 30 days ago are escalated to P0.

#### 4.3 Load Balancer Idle Detection
Confidence
87% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
CLB / ALB / NLB use entirely different SDKs and data structures, so they are processed independently:

- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
CLB / ALB / NLB use entirely different SDKs and data structures, so they are processed independently:

- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
CLB / ALB / NLB use entirely different SDKs and data structures, so they are processed independently:

- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
CLB / ALB / NLB use entirely different SDKs and data structures, so they are processed independently:

- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
CLB / ALB / NLB use entirely different SDKs and data structures, so they are processed independently:

- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
CLB / ALB / NLB use entirely different SDKs and data structures, so they are processed independently:

- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- **CLB**: Call [DescribeLoadBalancers](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancers) to list instances, then [DescribeLoadBalancerListeners](https://api.aliyun.com/api/Slb/2014-05-15/DescribeLoadBalancerListeners) for each instance to retrieve listeners and their backend servers. No listeners — or every listener has all-zero backend weights — is judged as idle.
- **ALB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Alb/2020-06-16/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Alb/2020-06-16/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroups) → [ListServerGroupServers](https://api.aliyun.com/api/Alb/2020-06-16/ListServerGroupServers). Listeners not bound to a server group, or server groups without backends, are judged as idle.
- **NLB**: Call [ListLoadBalancers](https://api.aliyun.com/api/Nlb/2022-04-30/ListLoadBalancers) → [ListListeners](https://api.aliyun.com/api/Nlb/2022-04-30/ListListeners) → [ListServerGroups](https://api.aliyun.com/api/Nlb/2022-04-30/ListServerGroups). The judgment logic mirrors ALB.

#### 4.4 NAT Gateway Idle Detection
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
#### 4.4 NAT Gateway Idle Detection

Call [DescribeNatGateways](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeNatGateways) to obtain public NAT Gateways (use the `NetworkType` field to exclude VPC private NAT). Inspect each gateway's bound EIP list:

- No EIP bound → "Fully Idle" (P0)
- EIP bound, but [DescribeSnatTableEntries](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeSnatTableEntries) AND [DescribeForwardTableEntries](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeForwardTableEntries) both return zero entries → "Configuration Missing" (P0)
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Call [DescribeNatGateways](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeNatGateways) to obtain public NAT Gateways (use the `NetworkType` field to exclude VPC private NAT). Inspect each gateway's bound EIP list:

- No EIP bound → "Fully Idle" (P0)
- EIP bound, but [DescribeSnatTableEntries](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeSnatTableEntries) AND [DescribeForwardTableEntries](https://api.aliyun.com/api/Vpc/2016-04-28/DescribeForwardTableEntries) both return zero entries → "Configuration Missing" (P0)

### 5. Recommendation Generation and Report Output
Confidence
88% confidence
Finding
https://api.aliyun.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.