Back to skill

Security audit

Alibabacloud Polardb Mysql Sql Lint

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate SQL-linting purpose, but its cloud-diagnosis path and setup instructions create review-worthy host, credential, and cloud-permission risk.

Review carefully before installing. Static-only use is much lower risk, but full DAS mode should be run only in an isolated environment with least-privilege, short-lived Alibaba Cloud credentials. Avoid the curl-to-bash installer, avoid broad extended RAM permissions, and require the shell-command construction bug to be fixed before running the skill on untrusted SQL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for attempt in range(max_retries):
            try:
                result = subprocess.run(
                    command, shell=True, capture_output=True, text=True, timeout=60
                )
Confidence
99% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read local reference files and execute shell commands, but there is no explicit permission declaration constraining those capabilities. In an agent setting, undeclared file and shell access weakens the trust boundary and can let the skill perform broader actions than a user or platform reviewer would expect.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file is materially misaligned with the stated skill purpose: instead of SQL linting or PolarDB MySQL assessment guidance, it provides a full Alibaba Cloud CLI installation and credential configuration guide. In an agent skill context, this expands the capability surface toward cloud account access and operational control, which is dangerous because users invoking a SQL review skill would not reasonably expect to be guided into installing tooling and configuring credentials.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation introduces broad credential-management patterns, profile switching, plugin installation, endpoint overrides, proxy settings, and general ECS operations that exceed what is needed for pre-release SQL linting. In context, this can normalize collection or use of long-lived cloud credentials and broaden an agent's implied authority beyond SQL assessment into general cloud administration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The extended RAM policy grants several permissions that go beyond narrowly scoped SQL linting, including instance enumeration, storage analysis, diagnosis task management, slow log access, and especially `hdm:ExecuteScript`. Because the policy uses `Resource: "*"`, any principal receiving it may gain broader visibility into database environments and potentially run provider-side diagnostic scripts, expanding the blast radius well beyond the stated skill purpose.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
Describing `hdm:ExecuteScript` as "read-only" is misleading because the permission name indicates execution capability, and readers may approve it under a false assumption of safety. In security documentation, mischaracterizing a privileged action can cause overbroad access to be granted without proper review, especially in a skill that users may treat as a low-risk linting tool.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The skill automatically installs a CLI plugin and executes shell commands on the host during normal operation, which expands the trust boundary and modifies the execution environment without explicit deployment-time control. In agent environments, this is dangerous because a skill expected to analyze SQL now also performs host-level changes and creates a path for abuse if combined with other weaknesses.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code performs remote DAS operations against cloud database instances through an external CLI, sending user-supplied SQL and identifiers to a cloud service. This is expected functionality for the skill, but it still creates data exposure and action-scope risks if users are not clearly informed or if execution occurs with overly broad cloud credentials.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The notes explicitly describe that DAS dynamic diagnosis performs network API calls and does not require a direct database connection, but they do not mention that user-supplied SQL may be transmitted to Alibaba Cloud DAS for analysis. In a SQL review skill, this can expose sensitive queries, schema names, table names, or embedded literals to an external service without clear disclosure or gating, creating a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Raw SQL text is embedded into a shell command and sent to an external CLI without robust isolation or clear disclosure. This is dangerous both because sensitive SQL may contain proprietary schema/business logic and because interpolating it into a shell string enables command injection when the SQL contains quotes or shell metacharacters.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill installs a CLI plugin automatically at runtime without an explicit warning or opt-in, which can surprise operators and alter the host environment outside the expected scope of a linting tool. In shared agent infrastructure, this increases supply-chain and change-management risk even though the command itself is fixed.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
### Required Environment

- **Python Version:** 3.8+
- **CLI Tools:** aliyun-cli (configured with credentials)
- **Environment Variables:** `ALIBABA_CLOUD_ACCESS_KEY_ID`, `ALIBABA_CLOUD_ACCESS_KEY_SECRET`

## Observability Initialization (MUST run before any command)
Confidence
79% confidence
Finding
Tools:*

Session Persistence

Medium
Category
Rogue Agent
Content
1. Log in to Aliyun Console: https://ram.console.aliyun.com/
2. Navigate to: AccessKey Management
3. Create a new AccessKey pair
4. Save the secret immediately — it's only shown once

### Configuration Modes
Confidence
76% confidence
Finding
Create a new AccessKey pair 4. Save the secret immediately — it's only shown once ### Configuration Modes Aliyun CLI supports 6 authentication modes. All examples below use non-interactive flags. #

External Script Fetching

High
Category
Supply Chain
Content
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed or version too low,
> run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to update,
> or see [references/cli-installation-guide.md](references/cli-installation-guide.md) for installation instructions.

**Pre-check: Aliyun CLI plugin update required**
Confidence
98% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

Tool Parameter Abuse

High
Category
Tool Misuse
Content
for attempt in range(max_retries):
            try:
                result = subprocess.run(
                    command, shell=True, capture_output=True, text=True, timeout=60
                )
Confidence
98% confidence
Finding
subprocess.run( command, shell=True

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.