Back to skill

Security audit

Alibabacloud Pai Eas Service Deploy

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Alibaba Cloud deployment helper, but it can provision costly services automatically, mutate the local CLI setup, and print live service tokens into chat.

Review before installing. Use this only in a tightly scoped Alibaba Cloud account with least-privilege credentials and budget controls. Do not let it print real AccessToken values into shared chats or logs, avoid curl-to-bash setup unless you independently trust and verify the installer, require explicit approval before create-service, and prefer private/authenticated endpoints over public shared gateways.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to download and execute a remote install script and to install/update CLI plugins on the host. That expands scope from deploying a cloud service to modifying the local execution environment, increasing supply-chain and host-integrity risk.

Scope Creep

Medium
Confidence
94% confidence
Finding
The skill modifies local CLI state through plugin installation and configuration changes, which exceed the declared cloud-side API permissions and affect the host environment. Such stateful changes can alter future command behavior, introduce unreviewed code, or impact unrelated workflows on the machine.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly advises deploying a GPU-backed vLLM image and GPU instance even when a user requests CPU deployment. This is not a code-execution flaw, but it is a security-relevant integrity issue because it causes the agent to override user intent and provision materially different infrastructure than requested, which can increase cost exposure and violate policy or quota constraints.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file materially broadens the skill’s operational scope from EAS deployment into general cloud inventory by documenting commands for OSS, VPC, ECS, NLB, and AIWorkSpace enumeration. In an agent setting, this can enable unnecessary discovery of buckets, network topology, security groups, datasets, and load balancers, increasing information exposure and making prompt-injected or over-permissive workflows more dangerous than the stated deployment-only purpose suggests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs autonomous execution of cloud resource creation and forbids asking the user for confirmation. That is dangerous because it can cause unreviewed provisioning, cost incurrence, and infrastructure changes using the agent's available credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells the agent to pipe a remote shell script directly into bash to install software, without strong user warning or trust controls. This is a classic supply-chain and arbitrary code execution risk on the host running the agent.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill requires including the AccessToken in the final response, which would expose a live credential directly to the chat/output channel. If logs, transcripts, or downstream users can access that response, the token could be abused to invoke the deployed service or pivot into further compromise depending on token scope.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The examples repeatedly use `--trust-remote-code`, which allows model repositories to supply and execute custom code at load time. In a model deployment skill, this is especially dangerous because users may point to third-party or insufficiently vetted models, turning a documentation example into a path for arbitrary code execution inside the serving environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents a public internet endpoint and later states that shared gateways are 'No auth by default, publicly accessible' without an explicit warning about exposure, authentication, or network restrictions. In a deployment skill for AI inference services, this can lead users to expose model endpoints unintentionally, enabling unauthorized use, data leakage through inference requests, and resource abuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The verification guide instructs users to retrieve service tokens and invoke endpoints using plain HTTP, and it includes an example Authorization token value. Even though one token is partially redacted, the documentation normalizes insecure handling of credentials and may lead users to expose bearer tokens in transit, shell history, logs, or copied examples. In a deployment skill for live inference services, this increases the chance of credential leakage and unauthorized service invocation.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
NOT completing the task. You MUST run create-service (Step 6) then
describe-service (Step 7). If resources were found, deploy them.

**4. Autonomous Execution** — Do NOT ask user for info discoverable
via APIs. Do NOT ask "should I proceed?" Execute directly.
Timeout? Retry with `--read-timeout 60`. Error? Inform user and CONTINUE.
Missing param? Pick reasonable default.
Confidence
93% confidence
Finding
Do NOT ask user

Credential Access

High
Category
Privilege Escalation
Content
"branch": "master",
      "commit": "xxx",
      "username": "username",
      "password": "password or access token"
    }
  }]
}
Confidence
89% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.