ClawHub
Back to skill

Security audit

Alibabacloud History Lock Diagnose

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate database-lock diagnostic purpose, but it can modify the local Alibaba Cloud CLI setup and use sensitive cloud/database data without tight enough user control or scoping.

Install only if you are comfortable granting the agent Alibaba Cloud CLI access for the target account and database diagnostics. Use a least-privilege read-only RAM role, avoid pasting or passing access keys in commands, review any plugin or CLI installation manually, and treat live session/SQL output as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
                if plugin_name in (check.stdout or ''):
                    continue
                install = subprocess.run(
                    ['aliyun', 'plugin', 'install', '--name', plugin_name],
                    capture_output=True, text=True, timeout=60
                )
Confidence
93% confidence
Finding
install = subprocess.run( ['aliyun', 'plugin', 'install', '--name', plugin_name], capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, accesses local environment state, and uses networked cloud APIs, but it declares no explicit permissions or trust boundaries. This creates a capability/expectation mismatch: a caller or platform may treat the skill as low-risk documentation while it can actually execute privileged actions such as installing software, querying cloud account configuration, and running diagnostic scripts against cloud resources.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This document substantially expands the skill from historical MySQL lock diagnosis into broad Alibaba Cloud CLI installation, authentication, credential setup, plugin management, and service exploration. In an agent skill, this scope creep is dangerous because it equips the agent or user with general cloud access paths unrelated to the declared task, increasing the chance of unnecessary privileged actions and credential handling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation teaches unjustified capabilities such as AccessKey provisioning, role assumption modes, plugin installation, ECS usage, and command exploration beyond the lock-diagnosis purpose. In the context of an agent skill, these instructions broaden operational authority and create opportunities for misuse, accidental lateral movement, or over-privileged execution far outside the intended troubleshooting workflow.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states that `SET autocommit=0` starts a transaction, but the sample `is_transaction_active()` logic only checks `BEGIN` and `START TRANSACTION`. In a lock-diagnosis skill, this mismatch can cause the analyzer to miss real active transactions and misidentify or fail to identify the true blocker, leading to incorrect operational guidance during incident response.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The markdown documents a broad set of implicit commit/rollback cases, but the sample code only implements a narrow subset such as a few DDL keywords, some privilege statements, and `LOGOUT`. This incomplete implementation can leave transactions incorrectly marked as active or inactive, producing false lock chains and unsafe troubleshooting conclusions in a database diagnostic context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill has an environment-modifying capability: it installs CLI plugins on the host during execution. For a diagnostic skill, this exceeds least privilege and introduces unnecessary supply-chain, persistence, and change-management risk on the agent host.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as historical lock diagnosis but also queries live current sessions (`GetMySQLAllSessionAsync`), which broadens access to active database activity and current SQL text. In an agent setting this increases exposure of sensitive runtime information beyond the user's likely expectation for retrospective analysis.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples pass access keys and secrets directly on the command line and show them being stored in a local config file without warning about shell history, process inspection, CI logs, or plaintext credential exposure. This is dangerous because these secrets can be recovered by other local users, logging systems, or automation platforms, leading to compromise of Alibaba Cloud resources.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The document instructs users to run `aliyun configure list`, which can display credential configuration details, but it does not warn users not to share or paste the output into tickets, chats, or logs. In a troubleshooting skill, this creates a real but low-severity risk of accidental credential or account-detail exposure during verification workflows.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically installing an `aliyun` CLI plugin without confirmation is unsafe because it changes the host state and pulls executable components at runtime. In a skill context, that behavior is unexpected, hard to audit, and creates avoidable supply-chain exposure.

External Script Fetching

High
Category
Supply Chain
Content
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed or version too low,
> run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to install/update,
> or see `references/cli-installation-guide.md` for installation instructions.

**Pre-check: Aliyun CLI plugin update required**
Confidence
98% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal