Back to skill

Security audit

Alibabacloud Odps Quota Manage

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with Alibaba Cloud MaxCompute quota management, but it includes overbroad credential/permission guidance, billable cloud actions, and mandatory local logging that users should review before installing.

Install only if you are comfortable letting an agent use Aliyun CLI credentials to inspect and potentially create MaxCompute quota resources. Use a narrowly scoped RAM policy for quota APIs, avoid the Resource "*" and broad MaxComputeFullAccess examples unless intentionally needed, do not paste real AccessKeys into command lines or chat, and review/delete the generated output and action-log files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is substantially over-scoped for a MaxCompute/ODPS quota-management skill: it teaches general Aliyun CLI installation, credential setup, RAM role usage, ECS commands, plugin management, proxy configuration, and unrelated service exploration. In an agent skill context, this expands operator and model affordances beyond the declared purpose, increasing the chance of unnecessary privileged access and misuse of unrelated cloud services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs users to install arbitrary product plugins and explore unrelated service commands, which enables capabilities far outside quota management. In a skill package, this materially broadens the accessible command surface and can facilitate accidental or unauthorized actions against other Alibaba Cloud services.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The authentication section includes privileged and cross-account modes such as RamRoleArn and RamRoleArnWithEcs, plus guidance on obtaining long-lived AccessKeys, which exceed the stated quota-management use case. This is dangerous because it normalizes elevated, persistent, and potentially cross-account credential use where a narrowly scoped role or temporary credential would suffice.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI example creates a custom RAM policy with `"Resource": "*"`, which directly contradicts the document's earlier least-privilege examples that scope access to `acs:odps:*:<your-account-id>:quota/*`. Users commonly copy CLI snippets verbatim, so this can lead to unnecessarily broad permissions being deployed and increase blast radius if the principal is compromised or reused.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Recommending `AliyunMaxComputeFullAccess` or even broad MaxCompute read-only policies is inconsistent with a skill focused specifically on quota management. This can cause operators to grant substantially more permissions than needed, exposing unrelated MaxCompute resources and actions beyond quota administration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill mandates writing outputs and action logs to local files without warning the user or making persistence optional. This creates filesystem side effects and may leave behind operational artifacts on the host, which is risky in shared, ephemeral, or sensitive environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document includes quota creation operations, explicitly noting that subscription quota creation will incur charges, but it does not require an explicit confirmation step or strongly constrain testing to read-only flows. In an agent-skill context, documenting charge-incurring commands as normal acceptance criteria increases the chance an automated agent or user will execute billable operations unintentionally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples pass access key material directly on the command line, which can leak through shell history, process listings, terminal logging, CI logs, and audit tooling. In automation and agent-driven environments, that exposure risk is amplified because commands may be recorded or surfaced to other systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The CLI example grants wildcard resource access without warning the reader that the example is broader than the recommended quota-scoped policies shown earlier. In a permissioning document, missing cautionary language is dangerous because readers may assume the example is safe-by-default and unintentionally provision excessive privileges.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CreateQuota section gives ready-to-run quota provisioning commands and examples without warning that the action creates billable cloud resources. In an agent skill context, this omission can mislead users or downstream automation into provisioning paid MaxCompute capacity unintentionally, causing unexpected spend.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persisting full quota results and a detailed action log to local plaintext files can retain sensitive operational metadata such as quota names, regions, statuses, and user-provided identifiers. In multi-user or monitored environments, those files can be accessed later and expose information beyond the immediate task context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.