ClawHub
Back to skill

Security audit

Alibabacloud Mongodb Health Inspect

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Alibaba Cloud MongoDB inspection skill, but it needs Review because it combines sensitive cloud-wide inspection with broad install/update steps and some under-disclosed side effects.

Install only if you intend to let the agent inspect Alibaba Cloud DDS resources. Use a least-privilege RAM role or short-lived credentials, avoid the curl-to-bash install path, disable broad --all scans unless needed, and store generated reports in a secure location because they may contain slow queries, session data, and fleet metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The guide expands the skill's scope beyond MongoDB health inspection by encouraging installation of arbitrary product plugins and exploration of unrelated services like ECS and FC. In an agent context, this broadens available capabilities and increases the chance of unintended or excessive cross-service access if the documentation is followed too literally.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document sets a strict safety rule that agents should only use `aliyun configure list`, but later instructs use of `aliyun configure get`, creating contradictory operational guidance. Conflicting instructions in security-sensitive credential handling can cause an agent to access more configuration detail than intended, including profile metadata that may expose authentication setup or encourage unsafe follow-on actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as read-only, but inspect_space calls CreateStorageAnalysisTask, which initiates a remote task and changes server-side state. In an agent context, misleading users about side effects undermines consent and can trigger unexpected activity, permissions use, auditing noise, or billable operations.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list contains broad phrases like '资源使用率', '慢查询', '配置检查', and '风险评估' that could match generic monitoring or database-analysis requests outside Alibaba Cloud DDS. This can cause accidental invocation in the wrong context, leading the agent to run cloud-inspection actions or generate local reports when the user did not intend to target Alibaba Cloud MongoDB resources.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill states that the script outputs reports to ~/Downloads/ by default but does not prominently warn users in the description or trigger-facing text that local files will be created. Unexpected filesystem writes can expose sensitive operational data on shared workstations or managed agent environments and may violate user expectations about read-only analysis.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes detailed inspection reports to local disk by default, including instance metadata, performance data, slow queries, session details, and alert history, without an explicit warning before persistence. In a shared workstation or agent-run environment, this can expose sensitive operational data to unintended local users, backups, or other processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The batch summary writer stores aggregated results for multiple instances into an HTML file without a strong prior notice that cross-instance operational data will be persisted locally. In multi-instance/account-wide inspections, this broadens the blast radius of local data exposure and may reveal fleet-wide identifiers, utilization, and risk posture.

Unvalidated Output Injection

High
Category
Output Handling
Content
cmd.extend([f'--{key}', str(value)])

    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
        if result.returncode == 0:
            return json.loads(result.stdout)
    except (subprocess.TimeoutExpired, json.JSONDecodeError):
Confidence
95% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# Check if aliyun CLI is available
    try:
        result = subprocess.run(['aliyun', 'version'], capture_output=True, text=True, timeout=5)
        if result.returncode != 0:
            raise FileNotFoundError
    except (FileNotFoundError, subprocess.TimeoutExpired):
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'version'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
for key, value in kwargs.items():
        cmd.extend([f'--{key}', str(value)])
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        if result.returncode == 0:
            try:
                return json.loads(result.stdout)
Confidence
95% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
_INSPECT_ITEMS = set(args.item) if args.item else set(ALL_ITEMS)

    try:
        result = subprocess.run(['aliyun', 'version'], capture_output=True, text=True, timeout=5)
        if result.returncode != 0:
            raise FileNotFoundError
    except (FileNotFoundError, subprocess.TimeoutExpired):
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'version'], capture_output

Session Persistence

Medium
Category
Rogue Agent
Content
1. Log in to Aliyun Console: https://ram.console.aliyun.com/
2. Navigate to: AccessKey Management
3. Create a new AccessKey pair
4. Save the secret immediately — it's only shown once

### Configuration Modes
Confidence
84% confidence
Finding
Create a new AccessKey pair 4. Save the secret immediately — it's only shown once ### Configuration Modes Aliyun CLI supports 6 authentication modes. All examples below use non-interactive flags. >

External Script Fetching

High
Category
Supply Chain
Content
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed or version too low,
> run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to install/update,
> or see `references/cli-installation-guide.md` for installation instructions.
> Then [MUST] run `aliyun configure set --auto-plugin-install true` to enable automatic plugin installation.
> Then [MUST] run `aliyun plugin update` to ensure that any existing plugins are always up-to-date.
Confidence
98% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal