Back to skill

Security audit

Alibabacloud Mcp Core Script Generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Alibaba Cloud RunScript generator with a local validator; it has limited metadata network lookups but no hidden persistence, credential collection, or unrelated behavior.

Install only if you are comfortable with the skill using Alibaba Cloud API discovery services and a local Python validator. Review generated scripts before running them, especially scripts that create, update, or delete cloud resources, and treat the API metadata lookup as a small disclosure of intended Alibaba Cloud product/action usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill advertises itself as a script generator, but it also instructs analysis of local files, local CLI processing, network retrieval of API metadata, and validation workflows. This broadens the operational surface beyond user expectations and can cause an agent to access local resources or external endpoints under the guise of simple code generation, increasing the risk of unintended data exposure or policy bypass.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly directs the agent to use external HTTP fetching and local shell tools such as curl, python3 -c, grep, or jq to obtain and process API metadata. These instructions expand execution from sandbox-compatible script generation into network and local command execution, which can be abused to bypass tool restrictions, expose local data, or create command-injection opportunities in less constrained runtimes.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill states there should be no local execution, but later mandates writing a script to /tmp and running a local validator with python3. This contradiction is dangerous because it normalizes local file writes and code-related execution steps in a context presented as sandbox-safe, potentially misleading agents or users into allowing host-side actions they would otherwise reject.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script imports urllib and later uses it to fetch API metadata from an external endpoint, creating outbound network behavior not strictly necessary for an offline sandbox pre-checker. In a code-generation skill context, this increases data egress and supply-chain risk because analyzed script content can influence remote requests and validation depends on unpinned external metadata.

External Transmission

Medium
Category
Data Exfiltration
Content
CLI_META_PRODUCTS = {"configure", "plugin", "ossutil", "autocompletion"}

# ── API Metadata (public endpoint, no auth) ──
API_META_URL = "https://api.aliyun.com/meta/v1/products/{product}/versions/{version}/apis/{action}/api.json"
_API_DEF_CACHE = {}  # in-memory cache: "Product.Version.Action" → api def dict

SDK_PATTERNS = [
Confidence
88% confidence
Finding
https://api.aliyun.com/

External Transmission

Medium
Category
Data Exfiltration
Content
def _check_api_params(source: str, violations: list[dict]):
    """Validate call_cli params against OpenAPI definitions from public metadata endpoint.

    Fetches https://api.aliyun.com/meta/v1/... (no auth, no disk writes) for each
    unique product/version/action, then checks:
      - API-PARAM-UNKNOWN:  param name not in API definition
      - API-PARAM-REQUIRED: required param missing
Confidence
90% confidence
Finding
https://api.aliyun.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.