Back to skill

Security audit

Alibabacloud Polardb Ai Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a mostly disclosed PolarDB diagnostic assistant, but it asks users to make broad Alibaba Cloud CLI/plugin and credential changes that exceed the stated PolarDB-only scope.

Install only if you are comfortable letting this skill use your Alibaba Cloud CLI identity for PolarDB diagnostics. Use a least-privilege RAM user or temporary credentials, avoid broad role profiles, do not enable unrelated plugins unless needed, and do not paste secrets, full SQL dumps, or sensitive logs into queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file materially expands the skill from PolarDB-specific O&M into general Alibaba Cloud CLI installation, authentication, and multi-product usage. In an agent skill, this scope expansion is dangerous because it equips the agent or user to interact broadly with cloud resources beyond the declared PolarDB boundary, weakening least-privilege and increasing the chance of unauthorized or accidental actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation includes cross-account and elevated access patterns such as RamRoleArn and RamRoleArnWithEcs, which exceed normal PolarDB O&M needs and can enable broader privilege acquisition. In skill context, providing these workflows normalizes privilege escalation paths that could be abused to access or modify resources outside the intended database scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The plugin and command examples explicitly instruct installation and exploration of non-PolarDB services such as ECS, VPC, RDS, and FC. That broadens operational capability beyond the stated PolarDB-only purpose and can lead users or agents to enumerate or act on unrelated cloud services.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script hard-codes a generic YaoChi agent endpoint/source rather than enforcing a PolarDB-only scope, while the skill manifest claims the skill is PolarDB-only. This creates a scope-mismatch risk: users may send broader prompts or sensitive operational data to a more general backend than expected, weakening trust boundaries and potentially bypassing product-specific restrictions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide shows direct credential entry and local storage patterns for AccessKey secrets, including examples that place sensitive values on the command line and in config files. In an agent-oriented context, this is risky because secrets may be exposed via shell history, process inspection, logs, transcripts, or improperly secured local files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the full user query to an external Alibaba Cloud API and also echoes the query to stderr locally, but it does not provide a clear privacy warning or consent step. In an O&M/database assistant context, queries may contain cluster identifiers, logs, SQL, credentials, or incident details, so silent transmission increases the risk of unintended disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.