Back to skill

Security audit

Alibabacloud Pds Intelligent Workspace

Security checks across malware telemetry and agentic risk

Overview

The skill is genuinely about Alibaba Cloud PDS file work, but it also enables broad credentialed cloud access, risky sharing defaults, and persistent host-level mount software installation that users should review before use.

Install only if you intentionally need Alibaba Cloud PDS automation and are comfortable granting it access to the relevant drives. Use a least-privilege RAM user or short-lived token, avoid root/admin cloud credentials, do not let an agent configure plaintext keys in chat or shell history, and review generated share links before sending them. Treat mount-app installation as an admin-level action: verify the vendor source, require manual approval, and understand it can add persistent background services. Keep raw analysis JSON and signed download URLs private, especially if they are written to /tmp or shared logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill directs the agent to perform shell commands, network access, and local file operations, but it declares no explicit permissions or capability constraints. That creates a transparency and policy-enforcement gap: a caller or platform may authorize the skill under the assumption it is low-risk while it can actually install software, access files, and invoke external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill advertises a broad set of PDS capabilities, but the documented behavior appears inconsistent and includes capabilities not clearly disclosed while omitting others it claims to support. This mismatch can mislead routing and trust decisions, causing the agent to invoke the skill in situations where the actual actions, outputs, or side effects differ from user and platform expectations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This guide is materially over-scoped for a skill whose declared purpose is PDS file operations. It walks users through installing a general Alibaba Cloud CLI, configuring broad account credentials, and testing access against ECS and other non-PDS services, which could enable account-wide cloud administration if an agent or user follows it in the skill context.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
These sections introduce account-level IAM and credential modes such as AccessKey, STS, RamRoleArn, and ECS role flows that are broader than necessary for a PDS-focused skill. In this context, they normalize obtaining and storing powerful credentials that may grant cross-account or cross-service access beyond file operations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The plugin installation and service exploration guidance encourages use of arbitrary Alibaba Cloud product plugins and commands like ECS and FC help, which expands the operator's capability outside the stated PDS function. In a skill package, that broadening increases the chance of misuse or unintended invocation of unrelated cloud services.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide instructs enumerating all users in a domain and displaying user_id, nick_name, phone, email, and role to the user, which exceeds the minimum data needed for ordinary file operations. In a file-management skill, this broad directory disclosure increases privacy risk and can expose internal identities for targeting, phishing, or unauthorized user selection.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This guide goes beyond ordinary cloud-drive file operations and instructs the agent to install host software, drivers, and long-running services across Windows, macOS, and Linux. In an agent skill context, that materially expands capability from file management to privileged host modification and persistence, which is dangerous if triggered automatically or without explicit, informed user consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document directs installation of third-party dependencies like Dokan and macFUSE and asks for system configuration changes such as allowing extensions and installing FUSE packages. These actions are outside the minimum scope of normal PDS file manipulation and can weaken system integrity or broaden attack surface when performed by an automated agent.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The prompt examples contradict the declared schema by using nonexistent or incorrect field names such as extension/create_at/update_at and inconsistent sort fields, which can cause the downstream model to emit invalid query objects. In a file-management skill that performs search, download, sharing, and other data operations, this can lead to failed queries, unintended broad searches, or incorrect file selection that affects confidentiality and integrity of user data handling.

Vague Triggers

High
Confidence
92% confidence
Finding
The activation rules are so broad that ordinary references to cloud drives, uploads, downloads, sharing, or analysis can trigger this skill even when the user did not clearly intend Alibaba Cloud PDS. In an agent environment, overbroad triggering is dangerous because it can cause unnecessary credential checks, local command execution, external API use, or file operations in the wrong context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes generic phrases like batch download and share-related terms without requiring a clear PDS qualifier. Those ambiguous triggers increase the chance of accidental invocation for unrelated storage providers or benign conversational mentions, expanding the skill's operational reach beyond intended scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to pass access keys directly on the command line and via environment variables without prominently warning that secrets may be exposed through shell history, process inspection, CI logs, or persistent local config files. This can lead to credential leakage, especially in automated or shared environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notes state that the user's token will be preset in the Aliyun CLI configuration file, but provide no warning about local credential persistence, filesystem exposure, multi-user hosts, or secret handling. Persisting long-lived tokens in CLI config can enable account compromise if the workstation, home directory, logs, or backups are accessed by another party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly directs displaying user_id, nick_name, phone, email, and role from the domain user list without any privacy minimization or warning. These fields contain sensitive personal and organizational information that is not necessary to expose broadly for most PDS file tasks, increasing privacy and social-engineering risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly shows how to overwrite an existing file by supplying a target file ID and revision ID, but it does not instruct the agent or operator to require explicit user confirmation before performing a destructive action. In a file-management skill, this creates a realistic risk of unintended data loss if an agent follows the example automatically or interprets ambiguous user requests as permission to replace content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs users to save raw analysis results that contain signed URLs, which are effectively bearer tokens granting time-limited access to potentially sensitive file contents. Without warnings about secrecy, expiration, redaction, or safe storage, users may copy these results into logs, tickets, chats, or shared files, unintentionally exposing private document data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The formatter workflow states it will automatically download every resource referenced by signed URLs, which can trigger retrieval of sensitive analysis artifacts and images over the network without any caution to the operator. In a file-analysis skill, this increases the chance of over-collection, unintended data egress, and accidental handling of confidential content beyond what the user expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly includes a recommended example for creating a password-free, never-expiring share link, which normalizes an insecure sharing pattern in a file-sharing skill. In this context, the skill can directly create externally accessible links for cloud-stored content, so omitting strong warnings and safer defaults increases the risk of unintended long-term data exposure, unauthorized redistribution, and compliance/privacy violations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The upload guide instructs users to send a local file to PDS but does not explicitly warn that the file's contents leave the local system and are transmitted to a remote cloud service. In a file-management skill that may operate on sensitive enterprise, team, or personal data, this omission can cause accidental exfiltration of confidential material because users may not appreciate the privacy and data-boundary implications of the action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide documents `ignore` as the default `--check-name-mode`, which permits overwriting same-name files without a prominent warning. In a cloud storage skill handling user and organizational files, this increases the risk of silent data loss or destructive replacement of important documents if the target directory already contains a file with the same name.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide directs the agent to upload a user-provided local image into PDS system space as a preprocessing step, but it does not require explicit user consent, disclose that the file will be copied into a separate storage area, or mention retention/cleanup expectations. In a file-management skill handling potentially sensitive enterprise or personal content, this can cause unintended data transfer, persistence, and policy/privacy violations even if the upload is functionally necessary.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The formatter performs outbound HTTP requests to signed URLs taken directly from the input JSON, with no validation of destination, allowlist, or explicit user warning. If an attacker can influence the analysis result file, this can trigger unintended remote fetches, enabling SSRF-style access to internal resources or silent retrieval of untrusted remote content in a local processing workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists raw analysis responses to disk even though the response may contain signed URLs and other sensitive metadata, and it defaults to writing into /tmp. On multi-user systems or shared environments, this can expose temporary access tokens or file-access links to other users, logs, backups, or later processes that can read the saved file.

External Transmission

Medium
Category
Data Exfiltration
Content
version=$(echo "$latest_info" | jq -r '.version')

# Download to temporary directory
curl --max-time 600 -fL -o "/tmp/mountapp-${version}.zip" "$download_url"  # Windows/macOS
curl --max-time 600 -fL -o "/tmp/mountapp-${version}.rpm" "$download_url"  # Linux
```
Confidence
89% confidence
Finding
curl --max-time 600 -fL -o "/tmp/mountapp-${version}.zip" "$download_url" # Windows/macOS curl --max-time 600 -fL -o "/tmp/mountapp-${version}.rpm" "$download_url" # Linux ``` --- ### Step 4: Exec

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Convert RPM to DEB
cd /tmp
sudo alien mountapp-${version}.rpm

# Install converted DEB package
sudo dpkg -i mountapp_${version}_*.deb
Confidence
94% confidence
Finding
sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.