Back to skill

Security audit

Alibabacloud Oss Media Process

Security checks across malware telemetry and agentic risk

Overview

This media-processing skill is mostly coherent, but it gives an agent broad Alibaba Cloud admin and deletion powers that deserve careful review before installation.

Install only if you are comfortable letting the agent operate Alibaba Cloud OSS and IMM resources. Use a least-privilege RAM policy scoped to a dedicated bucket and prefix, avoid granting imm:DeleteProject unless you truly need admin cleanup, review any auto-setup or lifecycle changes before use, keep output paths inside a workspace directory, and use face/body analysis only with appropriate consent and legal basis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script includes account-level IMM administration capabilities such as project creation, bucket attachment, and lifecycle management that go beyond a narrowly scoped media-processing skill. In an agent context, this expands the blast radius from processing a user-specified object to modifying persistent cloud resources, increasing the risk of unauthorized configuration changes or abuse if invoked indirectly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script can delete IMM projects, which is a destructive administrative action unrelated to routine media transformation. If exposed through an agent skill, a prompt injection, misuse, or operator mistake could remove projects and disrupt dependent workflows, causing configuration loss or service outage.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The list/get/check functionality enables account-wide enumeration and inspection of IMM projects and bucket bindings, exceeding the stated media-processing scope. Even without direct destruction, this exposes cloud inventory and relationships that can aid reconnaissance and facilitate broader misuse of the environment.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill accepts arbitrary HTTP(S) URLs and local file paths via --uri, then downloads or reads them and uploads the bytes to OSS. This expands the capability from OSS media processing into a generic file fetch/upload primitive, enabling unintended access to local files or attacker-controlled remote resources if an upstream agent can influence parameters.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Blind watermark URL mode modifies the bucket lifecycle policy to add or update a cleanup rule for temporary objects. Changing persistent bucket configuration is a privileged side effect not implied by the skill description, and in a shared bucket it can alter retention behavior and governance unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document exposes face and body detection capabilities without any user-facing privacy, consent, or lawful-use warning. In a media-processing skill, this can normalize biometric or sensitive-personal-data analysis and increase the chance the capability is used on images of people without appropriate notice, consent, or jurisdiction-specific compliance checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation grants `oss:DeleteObject` and explicitly notes it is used for temporary-file cleanup, but it does not provide any user-facing warning about deletion behavior, scope, or the risk of accidental data loss. In a skill that processes and manipulates OSS objects, undocumented delete capability increases the chance that operators overprovision permissions or enable cleanup behavior without understanding that real objects may be removed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The delete path executes immediately after a weak pre-check and does not require an explicit user confirmation at the moment of destruction. In agent-driven workflows, this raises the likelihood of accidental or manipulated destructive actions because there is no human-in-the-loop checkpoint before irreversible changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The raw download path writes directly to a caller-supplied output_path with open(..., 'wb'), which will overwrite existing files. In an agent context, a crafted or mistaken path can clobber arbitrary user-accessible files on the host, making this more dangerous than a normal CLI utility.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Processed media download mode also writes directly to a user-controlled local path without checking for existing files or path safety. Because this skill may be driven by natural-language agent inputs, silent overwrite of arbitrary local files is a meaningful integrity risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Blind watermark embed download mode writes output to a local path and also deletes the temporary OSS object afterward, but the write occurs without overwrite safeguards. The main issue is still arbitrary local file clobbering; the temp object deletion is a secondary operational side effect that can surprise users and complicate recovery.

Credential Access

High
Category
Privilege Escalation
Content
if _IS_WINDOWS:
    _ENV_FILES = [
        os.path.join(os.environ.get("USERPROFILE", ""), ".env"),
        os.path.join(os.environ.get("USERPROFILE", ""), "alibaba.env"),
    ]
else:
Confidence
84% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
if _IS_WINDOWS:
    _ENV_FILES = [
        os.path.join(os.environ.get("USERPROFILE", ""), ".env"),
        os.path.join(os.environ.get("USERPROFILE", ""), "alibaba.env"),
    ]
else:
    _ENV_FILES = [
Confidence
84% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
os.path.expanduser("~/.profile"),
        os.path.expanduser("~/.bash_profile"),
        os.path.expanduser("~/.zshrc"),
        os.path.expanduser("~/.env"),
    ]

# KEY=VALUE line pattern (supports quoted values, optional "export" prefix)
Confidence
86% confidence
Finding
.env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.