ClawHub
Back to skill

Security audit

Alibabacloud Migration Mas Product Mapping

Security checks across malware telemetry and agentic risk

Overview

The skill matches its cloud migration pricing purpose, but its pricing server uses Alibaba Cloud credentials through an unauthenticated network service.

Install only if you are comfortable running a local pricing helper that uses Alibaba Cloud credentials. Use a dedicated least-privilege RAM account, bind the service to localhost if possible, stop it after use, and do not point --pricing-url at an untrusted or non-HTTPS remote service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Workbook-derived infrastructure metadata is transmitted to an external pricing service via HTTP requests without explicit user consent, data minimization, or clear disclosure of what leaves the local environment. In a migration context, instance specs, regions, and resource descriptors can reveal sensitive topology and capacity information, especially if the pricing URL is changed from localhost to a remote endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends pricing request payloads to an external HTTP service, and those payloads are derived from spreadsheet contents that may reflect a customer's infrastructure inventory and sizing. Even though the code does not transmit raw workbook rows, the exported instance specs, database engines, storage sizes, and bandwidth information can still disclose sensitive environment details, and the default use of plain HTTP increases interception risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The service automatically resolves Alibaba Cloud credentials from the default provider chain and uses them to make outbound API calls based on user-supplied parameters, without any visible user disclosure, consent boundary, or authorization control. In a skill context, this means an external caller may be able to induce authenticated requests against the operator's cloud account, leaking metadata about account access and consuming trusted credentials in ways the user may not expect.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal