Security audit

Alibabacloud Kvstore Health Inspection

Security checks across malware telemetry and agentic risk

Overview

This Redis inspection skill is not obviously malicious, but it can change Aliyun CLI setup, install plugins, and save sensitive cloud diagnostics, so it belongs in Review before installation.

Install only if you intend to let the skill inspect Alibaba Cloud Redis/Tair resources with an Aliyun profile. Use a least-privilege RAM role or user, avoid root AccessKeys, avoid full-account mode unless needed, review any plugin installation or CLI configuration changes first, and treat generated reports as sensitive because they may contain client IPs, instance details, Redis key names, and workload patterns.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output

Findings (27)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def ensure_cli_plugins(): """Ensure required aliyun CLI plugins are installed.""" try: subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'], capture_output=True, text=True, timeout=10) except Exception: pass
Confidence: 95% confidence
Finding: subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'], capture_output=True, text=True, timeout=10)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True, text=True, timeout=15) if result.returncode == 0 and f'aliyun-cli-{plugin}' not in result.stdout: print(f' Installing CLI plugin: {plugin}...', end='', flush=True) install = subprocess.run( ['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'], capture_output=True, text=True, timeout=60) if install.returncode == 0:
Confidence: 96% confidence
Finding: install = subprocess.run( ['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'], capture_output=True, text=True, timeout=60)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill exposes shell, environment, file read, and file write capabilities but does not declare permissions or prominently constrain them in a machine-enforceable way. In an agent setting, this creates unnecessary authority and weakens review boundaries, increasing the chance of unintended command execution, filesystem access, or data exposure during a health inspection workflow.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The hard rules say script failure must be reported with no alternative collection methods, yet later content permits a manual workflow when the script is unavailable. That contradiction can steer an agent into bypassing the approved control path and directly invoking lower-level APIs, undermining the safety boundary the skill claims to enforce.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill bans CloudMonitor/CMS APIs but also states alert history comes from CMS and requires CMS observability handling. This inconsistency can cause an agent to call prohibited CMS commands anyway, violating the declared data-collection boundary and potentially expanding the scope of accessible account telemetry.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: A health-inspection skill is expected to be read-only, but this code alters host configuration and installs software plugins. That mismatch in capability makes the skill more dangerous because users may invoke it expecting observation only, while it performs persistent system changes and adds supply-chain exposure.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: Invoking `sync` is a host-level side effect not justified by the inspection/reporting purpose and violates least privilege. While not typically directly exploitable, it demonstrates unnecessary system interaction that broadens the tool’s operational footprint beyond read-only inspection.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Broad trigger phrases like CPU usage, memory usage, connection usage, and bandwidth usage are generic monitoring terms that can activate the skill in contexts the user did not intend. Because this skill can enumerate instances and generate reports, overbroad activation increases the risk of unintended cloud inventory access and report creation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill supports --all account-wide inspection and automatic report generation, but the user-facing description does not clearly warn that this can enumerate all Redis instances and write output files. Without clear notice, users may trigger broader data collection and local artifact creation than they expected.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide tells users to configure AccessKey credentials and explicitly export secrets as environment variables, but it does not warn that these values are highly sensitive or that shell environments, process listings, logs, history, CI systems, and shared terminals can expose them. In a cloud-administration skill, credential-handling guidance is security-sensitive because compromised keys could allow unauthorized access to Redis instances and potentially broader Alibaba Cloud resources.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow directs operators to retrieve full Redis session data, including source IP distribution and per-session details, which can expose sensitive operational metadata and potentially customer/client identifiers. In a manual workflow document, the absence of any minimization, masking, access-control warning, or handling guidance increases the risk that this data will be over-collected, copied into reports, or shared beyond those with a need to know.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The big key, hot key, and slow log steps may reveal raw key names, sample keys, command patterns, and access characteristics that often encode business identifiers, tenant names, user IDs, or other application-sensitive data. Because the document presents these inspection steps without any warning, sanitization requirement, or reporting restrictions, it creates a realistic risk of sensitive data exposure during troubleshooting and report generation.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The report includes sensitive operational data such as client IPs, active session details, node IDs, and Redis key names, which may expose application data patterns and infrastructure internals. In a health-inspection context this is especially risky because the output is designed for broad review and may be shared or stored without realizing its sensitivity.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script writes rich infrastructure and workload data to local files, defaulting to `~/Downloads`, without warning about the sensitivity of the contents. This increases the risk of accidental disclosure through endpoint backups, local sharing, weak workstation permissions, or later exfiltration from disk.

Ssd 4

Medium

Confidence: 95% confidence
Finding: Referencing a manual API workflow as a fallback contradicts the earlier requirement to use only the script and not attempt alternate retrieval on failure. In practice, an agent may treat the reference as authorization to bypass the controlled wrapper and perform direct CLI/API collection, weakening safety and auditability.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: "hookSpecificOutput": { "hookEventName": "PreToolUse", "permissionDecision": "allow", "permissionDecisionReason": "Read operation API ($ACTION), no confirmation needed." } } EOF
Confidence: 84% confidence
Finding: no confirmation

Unvalidated Output Injection

High

Category: Output Handling
Content: cmd.extend([f'--{key}', str(value)]) try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=10) if result.returncode == 0: return json.loads(result.stdout) except (subprocess.TimeoutExpired, json.JSONDecodeError):
Confidence: 95% confidence
Finding: subprocess.run(cmd, capture_output

Unvalidated Output Injection

High

Category: Output Handling
Content: # Check aliyun CLI availability try: result = subprocess.run(['aliyun', 'version'], capture_output=True, text=True, timeout=5) if result.returncode != 0: raise FileNotFoundError except (FileNotFoundError, subprocess.TimeoutExpired):
Confidence: 95% confidence
Finding: subprocess.run(['aliyun', 'version'], capture_output

Unvalidated Output Injection

High

Category: Output Handling
Content: def _sync_after_install(): """Flush filesystem caches after plugin installation.""" try: subprocess.run(['sync'], capture_output=True, text=True, timeout=10) except Exception: pass time.sleep(1)
Confidence: 95% confidence
Finding: subprocess.run(['sync'], capture_output

Unvalidated Output Injection

High

Category: Output Handling
Content: def ensure_cli_plugins(): """Ensure required aliyun CLI plugins are installed.""" try: subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'], capture_output=True, text=True, timeout=10) except Exception: pass
Confidence: 95% confidence
Finding: subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'], capture_output

Unvalidated Output Injection

High

Category: Output Handling
Content: required_plugins = ['r-kvstore', 'cms', 'das'] for plugin in required_plugins: try: result = subprocess.run(['aliyun', 'plugin', 'list'], capture_output=True, text=True, timeout=15) if result.returncode == 0 and f'aliyun-cli-{plugin}' not in result.stdout: print(f' Installing CLI plugin: {plugin}...', end='', flush=True)
Confidence: 95% confidence
Finding: subprocess.run(['aliyun', 'plugin', 'list'], capture_output

Unvalidated Output Injection

High

Category: Output Handling
Content: capture_output=True, text=True, timeout=15) if result.returncode == 0 and f'aliyun-cli-{plugin}' not in result.stdout: print(f' Installing CLI plugin: {plugin}...', end='', flush=True) install = subprocess.run( ['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'], capture_output=True, text=True, timeout=60) if install.returncode == 0:
Confidence: 95% confidence
Finding: subprocess.run( ['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'], capture_output

Unvalidated Output Injection

High

Category: Output Handling
Content: max_attempts = 5 for attempt in range(max_attempts): try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=60) combined_output = (result.stdout or '') + (result.stderr or '') if 'text file busy' in combined_output.lower() and attempt < max_attempts - 1: time.sleep(2)
Confidence: 95% confidence
Finding: subprocess.run(cmd, capture_output

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: sudo mv aliyun /usr/local/bin/ # Or using package manager (Ubuntu/Debian/CentOS/RHEL) curl -fsSL https://aliyuncli.alicdn.com/setup.sh | sudo bash # Or using Homebrew (macOS) brew upgrade aliyun-cli
Confidence: 98% confidence
Finding: sudo

External Script Fetching

High

Category: Supply Chain
Content: > **Pre-check: Aliyun CLI >= 3.3.3 required** > Run `aliyun version` to verify >= 3.3.3. If not installed or version too low, > see `references/cli-installation-guide.md` for detailed installation instructions, > or run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to install/update. > Then [MUST] run `aliyun configure set --auto-plugin-install true` to enable automatic plugin installation. > Then [MUST] run `aliyun plugin update` to ensure plugins are up-to-date.
Confidence: 98% confidence
Finding: curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal