Back to skill

Security audit

Alibabacloud Network Mtr Diagnosis

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Alibaba Cloud network-diagnosis tool, but it includes broader-than-needed remote command execution paths that should be reviewed before installation.

Install only if you are comfortable granting Alibaba Cloud ECS remote command execution authority. Use a tightly scoped RAM policy limited to the intended ECS instances, review any command before approval, and avoid using the raw run-command subcommand. Treat ipinfo.io enrichment as third-party network metadata sharing, and prefer a version that removes the TLS-verification fallback and restricts remote commands to fixed diagnostic templates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
shell_cmd = " ".join(shlex.quote(c) for c in cmd)
    try:
        result = subprocess.run(
            shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout,
        )
    except subprocess.TimeoutExpired:
Confidence
96% confidence
Finding
result = subprocess.run( shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[WARNING] Transient error for {product} {api}, retrying...",
                  file=sys.stderr)
            try:
                retry_result = subprocess.run(
                    shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout)
                if retry_result.returncode == 0:
                    try:
Confidence
96% confidence
Finding
retry_result = subprocess.run( shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs use of shell commands, local file paths, environment-dependent credential chains, and outbound network access, yet no explicit permissions are declared. This creates a governance gap: a hosting platform may expose more capability than users realize, and reviewers cannot accurately enforce least privilege for a skill that can invoke cloud APIs and remote command execution on ECS instances.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The analyzer sends destination and intermediate hop IPs to ipinfo.io to enrich reports with ISP names, which discloses network-path metadata to a third party. In a network-diagnostics skill, hop IPs can reveal internal topology, provider choices, customer endpoints, and troubleshooting targets; doing this automatically without necessity or clear consent creates a real data exposure risk.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
On SSL certificate verification failure, the code downgrades to an unverified TLS context with hostname checks disabled and certificate validation turned off. This allows a man-in-the-middle attacker to intercept or spoof ipinfo.io responses, causing untrusted network data to be accepted as authoritative and normalizing insecure transport behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The CLI exposes a generic `run-command` subcommand that accepts arbitrary shell script content and sends it to Alibaba Cloud Cloud Assistant for execution on the target ECS instance. That capability is far broader than the stated MTR/network-diagnosis purpose and enables unrestricted remote code execution on user infrastructure if invoked through the skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`run_remote_command()` is a reusable primitive for executing arbitrary Base64-encoded shell scripts on ECS instances via Cloud Assistant, with no validation of script contents or limitation to diagnostic commands. In a troubleshooting skill, this creates a powerful execution sink that can be abused to run destructive or persistence-establishing commands on remote hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code performs external IP lookups without any user-facing warning, consent, or disclosure, so users may unknowingly transmit sensitive routing information off-platform. In this skill context, MTR data often comes from production ECS instances and customer networks, making silent exfiltration of hop IPs more sensitive than in a generic consumer utility.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The environment check inspects whether cloud access keys and related configuration are present, but the code provides no user-facing warning that sensitive credential state is being inspected. In an agent setting, silently probing cloud credential presence can surprise users and increase privacy and trust risks, especially when paired with remote diagnostic capabilities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file exposes raw remote shell execution through the `run-command` CLI path without any user-facing warning, safety gate, or confirmation flow in this code path. Because the command runs on ECS instances, accidental or coerced use could lead to unintended system changes or data exposure even if the operator did not realize the scope of execution.

Unvalidated Output Injection

High
Category
Output Handling
Content
shell_cmd = " ".join(shlex.quote(c) for c in cmd)
    try:
        result = subprocess.run(
            shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout,
        )
    except subprocess.TimeoutExpired:
Confidence
91% confidence
Finding
subprocess.run( shell_cmd, shell=True, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
print(f"[WARNING] Transient error for {product} {api}, retrying...",
                  file=sys.stderr)
            try:
                retry_result = subprocess.run(
                    shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout)
                if retry_result.returncode == 0:
                    try:
Confidence
91% confidence
Finding
subprocess.run( shell_cmd, shell=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
shell_cmd = " ".join(shlex.quote(c) for c in cmd)
    try:
        result = subprocess.run(
            shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout,
        )
    except subprocess.TimeoutExpired:
Confidence
95% confidence
Finding
subprocess.run( shell_cmd, shell=True

Tool Parameter Abuse

High
Category
Tool Misuse
Content
print(f"[WARNING] Transient error for {product} {api}, retrying...",
                  file=sys.stderr)
            try:
                retry_result = subprocess.run(
                    shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout)
                if retry_result.returncode == 0:
                    try:
Confidence
95% confidence
Finding
subprocess.run( shell_cmd, shell=True

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/mtr_analyze.py:261