Back to skill

Security audit

Alibabacloud Kms Secret Manage

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Alibaba Cloud KMS helper, but it needs Review because it encourages very broad cloud permissions and includes high-impact secret deletion, rotation, and plaintext-handling examples.

Install only if you intend to let the agent work with Alibaba Cloud KMS secrets. Use a dedicated least-privilege RAM role scoped to specific test or production secrets, avoid wildcard policies, avoid plaintext secrets in chat or shell history, verify the active account and region before running commands, prefer recoverable deletion, and treat managed RDS/RAM/ECS credential rotation as a production-impacting operation requiring explicit change control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is scoped to KMS secret management, but the document recommends additional RDS, RAM, and ECS permissions with Resource set to '*'. That broadens operator trust into unrelated control planes and could enable credential resets, access-key lifecycle actions, or instance modifications if copied into production IAM policies.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
Including kms:CreateKey in permission guidance exceeds the stated secret-management purpose and encourages granting broader cryptographic administration privileges than needed. If adopted, users of a secret-management skill may gain unnecessary ability to create KMS keys, increasing blast radius and weakening least-privilege boundaries.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "secret management" is broad enough to match many benign user requests unrelated to Alibaba Cloud KMS, which can cause unintended invocation of a high-privilege skill. In this context, accidental activation is more dangerous because the skill performs sensitive secret CRUD operations, including retrieval and deletion of secrets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The create/update workflow shows passing secret material directly via CLI arguments without an explicit warning that the plaintext secret is being transmitted to Alibaba Cloud KMS and may also be exposed locally through shell history, process listings, audit logs, or agent traces. Because this skill handles highly sensitive credentials, omission of that warning can lead users to unintentionally disclose secrets during routine use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The rotation-policy command can change production secret rotation behavior without warning about downstream effects on dependent services, credential freshness expectations, and potential outages if consumers are not prepared to reload rotated credentials. In a secret-management skill, this omission is materially risky because users may apply rotation to live credentials with immediate operational impact.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The acceptance criteria include `DeleteSecret` examples with `--ForceDeleteWithoutRecovery "true"` but do not pair them with any explicit warning that this operation can permanently remove a secret without a recovery period. In a secret-management skill, users may copy these examples directly, so normalizing irreversible deletion without caution increases the risk of accidental destructive actions and operational outage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide recommends placing long-lived access keys in shell environment variables without prominently warning that these values can be exposed through shell history, process inspection, CI logs, crash dumps, or inherited child processes. In an agent/automation context, this raises the risk of credential leakage and subsequent unauthorized cloud access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct users how to create and rotate live database passwords, RAM access keys, and ECS login credentials without prominent warnings about service disruption, privilege consequences, or the sensitivity of handling raw secrets on the command line. In an agent skill context, this is dangerous because users may execute high-impact credential changes in production without understanding that these operations can revoke access, break applications, or expose secrets via shell history and logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples provide wildcard Allow policies for sensitive actions such as GetSecretValue, PutSecretValue, DeleteSecret, SetSecretPolicy, and key-related operations without nearby warnings about the consequences. Readers may copy these examples directly, resulting in broad access to all secrets and policy administration across the account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes DeleteSecret and includes force deletion without a prominent warning that force deletion is irreversible and bypasses recovery. In an agent skill context, this omission increases the chance that users or downstream automation invoke destructive operations without understanding the blast radius, leading to permanent credential loss or service outages.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples show passing secret material directly on the command line and retrieving secret values without warning that secrets may be exposed via shell history, process listings, terminal scrollback, CI logs, or agent traces. In a secret-management skill, this is especially dangerous because the primary asset handled is sensitive data, so unsafe examples materially increase the risk of credential disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The verification examples retrieve and display `SecretData` directly in terminal output, which can expose live secrets to shell history, logs, CI/CD transcripts, screen recording, or shared terminals. In a secret-management skill, this is especially risky because users are likely to run the commands against production secrets, making accidental disclosure more likely.

Missing User Warnings

High
Confidence
98% confidence
Finding
The complete verification script includes `DeleteSecret --ForceDeleteWithoutRecovery true`, an irreversible destructive operation, without a prominent warning, confirmation step, or environment-safety guidance. Because this is presented as a runnable end-to-end verification flow, users may execute it against real secrets and cause permanent loss of credentials or service outages.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.