ClawHub
Back to skill

Security audit

Alibabacloud Polardb Mysql Inspection

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible PolarDB inspection tool, but it automatically changes local Alibaba Cloud CLI configuration/plugins and saves sensitive database reports without enough user-controlled scoping.

Install only if you are comfortable letting the skill use your configured Alibaba Cloud profile to read PolarDB/DAS/CMS operational data, generate local reports containing sensitive SQL and session metadata, and modify your local aliyun CLI plugin/configuration state. Prefer a dedicated least-privilege RAM profile, preinstall required CLI plugins yourself, choose a controlled output directory, treat generated reports as sensitive, and verify AI-mode/auto-plugin settings after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _repair_plugin_manifest():
    """Repair corrupted plugin manifest by running plugin update."""
    try:
        subprocess.run(['aliyun', 'plugin', 'update'],
                       capture_output=True, text=True, timeout=60)
    except Exception:
        pass
Confidence
92% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'update'], capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _sync_after_install():
    """Flush filesystem caches after plugin installation to avoid 'text file busy'."""
    try:
        subprocess.run(['sync'], capture_output=True, text=True, timeout=10)
    except Exception:
        pass
    time.sleep(1)
Confidence
88% confidence
Finding
subprocess.run(['sync'], capture_output=True, text=True, timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ensure_cli_plugins():
    """Ensure required aliyun CLI plugins are installed and healthy."""
    try:
        subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'],
                       capture_output=True, text=True, timeout=10)
    except Exception:
        pass
Confidence
94% confidence
Finding
subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'], capture_output=True, text=True, timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True, text=True, timeout=30)
        else:
            print(f'  📦 Installing CLI plugin: {product}...', flush=True)
        subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{product}'],
                       capture_output=True, text=True, timeout=60)
        _sync_after_install()
    except Exception:
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{product}'], capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if repair:
            print(f'  🔧 Repairing CLI plugin: {product}...', flush=True)
            _repair_plugin_manifest()
            subprocess.run(['aliyun', 'plugin', 'uninstall', '--name', f'aliyun-cli-{product}'],
                           capture_output=True, text=True, timeout=30)
        else:
            print(f'  📦 Installing CLI plugin: {product}...', flush=True)
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'uninstall', '--name', f'aliyun-cli-{product}'], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
result = subprocess.run(['aliyun', 'plugin', 'list'], capture_output=True, text=True, timeout=15)
            if result.returncode == 0 and f'aliyun-cli-{plugin}' not in result.stdout:
                print(f'  📦 Installing CLI plugin: {plugin}...', end='', flush=True)
                install = subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'],
                                         capture_output=True, text=True, timeout=60)
                if install.returncode == 0:
                    print(' ✅', flush=True)
Confidence
95% confidence
Finding
install = subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'], capture_output=True, text=True, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill clearly intends to execute shell commands, make networked API calls, and write reports to disk, but it does not declare those capabilities or permissions up front. That creates a transparency and governance gap: operators may authorize or invoke the skill without realizing it can modify local state and reach external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is described as a read-only inspection/reporting tool, but the documented behavior includes command interception, local enforcement hooks, plugin auto-install/repair, and confirmation logic beyond simple inspection. This mismatch is dangerous because users may consent to a narrow reporting workflow while the skill actually changes local tooling state and exerts broader control over command execution.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The skill declares a hard rule that all inspections must go through health-inspect.py, but later permits a manual fallback workflow if the script is unavailable. That contradiction weakens the intended safety boundary and can normalize bypassing the audited wrapper in favor of ad hoc direct API calls.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill modifies the local Alibaba Cloud CLI by enabling auto-install, updating manifests, uninstalling plugins, and installing plugins. In the context of a health inspection tool, those side effects are materially beyond the declared read-oriented purpose and expose the host to unexpected code and configuration changes.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Issuing a system-wide `sync` is a host-level capability unrelated to collecting PolarDB health data. In this skill context it is unjustified and demonstrates unnecessary authority over the local machine.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The trigger list contains broad phrases like performance check, connection monitoring, and alert history that may match ordinary requests outside the intended scope. Overbroad activation can cause the skill to run in contexts the user did not intend, leading to unnecessary API calls, local file generation, or disclosure of account metadata.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill emphasizes report generation but does not clearly warn in the top-level description that outputs are written to local disk by default. Silent local persistence is a security and privacy concern because reports may contain infrastructure identifiers, performance data, and operational metadata that remain accessible after execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends entering long-lived access keys directly on the command line and exporting credentials as environment variables without prominently warning that shell history, CI logs, process listings, and persisted shell profiles can expose secrets. In an agent-driven or automated context, this increases the chance of accidental credential leakage and reuse of high-value cloud credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes sensitive operational data including sessions, client hosts, SQL text, and alert history into local report files without an explicit warning or redaction option. In a database-inspection context, this data can contain credentials-adjacent metadata, business queries, and internal topology details that increase exposure if the report is shared or stored insecurely.

Ssd 3

Medium
Confidence
69% confidence
Finding
Instructing the agent to read permission policy details and guide the user through missing access can surface broader account structure and permission requirements into the conversation. While operationally useful, it increases the chance of oversharing sensitive IAM/RAM details beyond what is necessary to diagnose the immediate failure.

Unvalidated Output Injection

High
Category
Output Handling
Content
cmd.extend([f'--{key}', str(value)])

    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
        if result.returncode == 0:
            return json.loads(result.stdout)
    except (subprocess.TimeoutExpired, json.JSONDecodeError):
Confidence
95% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# 检查 aliyun CLI 是否可用
    try:
        result = subprocess.run(['aliyun', 'version'], capture_output=True, text=True, timeout=5)
        if result.returncode != 0:
            raise FileNotFoundError
    except (FileNotFoundError, subprocess.TimeoutExpired):
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'version'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
def _repair_plugin_manifest():
    """Repair corrupted plugin manifest by running plugin update."""
    try:
        subprocess.run(['aliyun', 'plugin', 'update'],
                       capture_output=True, text=True, timeout=60)
    except Exception:
        pass
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'update'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
def _sync_after_install():
    """Flush filesystem caches after plugin installation to avoid 'text file busy'."""
    try:
        subprocess.run(['sync'], capture_output=True, text=True, timeout=10)
    except Exception:
        pass
    time.sleep(1)
Confidence
95% confidence
Finding
subprocess.run(['sync'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
def ensure_cli_plugins():
    """Ensure required aliyun CLI plugins are installed and healthy."""
    try:
        subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'],
                       capture_output=True, text=True, timeout=10)
    except Exception:
        pass
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'configure', 'set', '--auto-plugin-install', 'true'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
except Exception:
        pass
    try:
        check = subprocess.run(['aliyun', 'plugin', 'list'], capture_output=True, text=True, timeout=15)
        combined = (check.stdout or '') + (check.stderr or '')
        if 'manifest' in combined.lower() or 'unexpected' in combined.lower() or check.returncode != 0:
            print('  🔧 Repairing CLI plugin manifest...', flush=True)
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'list'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
required_plugins = ['polardb', 'cms', 'das']
    for plugin in required_plugins:
        try:
            result = subprocess.run(['aliyun', 'plugin', 'list'], capture_output=True, text=True, timeout=15)
            if result.returncode == 0 and f'aliyun-cli-{plugin}' not in result.stdout:
                print(f'  📦 Installing CLI plugin: {plugin}...', end='', flush=True)
                install = subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'],
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'list'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
result = subprocess.run(['aliyun', 'plugin', 'list'], capture_output=True, text=True, timeout=15)
            if result.returncode == 0 and f'aliyun-cli-{plugin}' not in result.stdout:
                print(f'  📦 Installing CLI plugin: {plugin}...', end='', flush=True)
                install = subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'],
                                         capture_output=True, text=True, timeout=60)
                if install.returncode == 0:
                    print(' ✅', flush=True)
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'install', '--name', f'aliyun-cli-{plugin}'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
_sync_after_install()
    for plugin in required_plugins:
        try:
            verify = subprocess.run(['aliyun', 'plugin', 'list'], capture_output=True, text=True, timeout=15)
            if verify.returncode == 0 and f'aliyun-cli-{plugin}' not in verify.stdout:
                print(f'  ⚠️ Plugin {plugin} not available, related features may fail', flush=True)
        except Exception:
Confidence
95% confidence
Finding
subprocess.run(['aliyun', 'plugin', 'list'], capture_output

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal