Back to skill

Security audit

Alibabacloud Oss Manage Metaquery

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Alibaba Cloud OSS semantic-search management skill, but it can affect real cloud buckets and should be used with scoped credentials and careful confirmations.

Install only if you intend to manage Alibaba Cloud OSS MetaQuery. Use a dedicated RAM user or STS credentials scoped to the exact bucket, avoid root or account-wide keys, verify installer sources before running setup commands, confirm costs before indexing large buckets, and carefully review any create, delete, close-index, or presigned-preview action before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill documents destructive and administrative actions—bucket creation, object deletion, bucket deletion, MetaQuery closure—that materially exceed a user expectation of 'enable and query semantic search.' Even with confirmation language, bundling these powers into one skill increases blast radius if the skill is mis-invoked or if a user interprets the skill as read-only/search-focused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs users to install software via a remote shell pipeline (`curl ... | bash`) and then enable automatic plugin installation and updates. Fetching and executing remote bootstrap code without integrity verification creates a direct supply-chain and arbitrary-code-execution risk on the host running the skill.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script provisions a new OSS bucket, which is infrastructure-modifying behavior outside the stated purpose of a metaquery/semantic-search skill. In an agent context, this expands the skill from read/query operations into resource creation, enabling unintended cloud changes, cost exposure, and creation of attacker-controlled storage targets if invoked with user-influenced parameters.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The call to create_bucket() gives the skill direct infrastructure provisioning capability without justification from its advertised semantic-search purpose. In a tool-using agent, this can be abused to create persistent cloud resources, incur charges, bypass expected least-privilege boundaries, and prepare storage for later exfiltration or staging of data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad phrases like 'search by text,' which can match many unrelated user requests. Overbroad activation increases the risk that this high-capability cloud-storage skill is selected in contexts where the user did not intend to operate on OSS resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends generating presigned URLs for previews but does not clearly warn that these links grant temporary access to potentially sensitive objects and may be exposed through logs, chats, browser history, or forwarding. In a content-search workflow, preview links may surface private media and documents outside the intended access boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.