Back to skill

Security audit

Alibabacloud Rds Copilot

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for Alibaba Cloud RDS Copilot, but it understates persistent local setup, credential handling, and sensitive data sent to Alibaba Cloud.

Install only if you are comfortable letting the agent manage Alibaba Cloud CLI/plugin setup and use an Alibaba Cloud credential profile. Prefer a least-privilege RAM user, avoid root keys, redact SQL literals and production identifiers before sending queries, and do not run the verification examples in logged or shared environments unless the output is safe to expose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Scope Creep

Medium
Confidence
91% confidence
Finding
The skill declares only `rdsai:ChatMessages` as required RAM permission, but its documented workflow also directs the agent to install/upgrade the CLI, manage plugins, and modify credential profiles. That mismatch can mislead users and reviewers about the true scope of actions the skill may perform, increasing the chance of unreviewed local system changes and credential handling.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The cleanup section says the skill is read-only and creates no resources, but the workflow explicitly performs local writes such as installing software, upgrading components, enabling plugin auto-install, and storing credentials. This inaccurate safety claim can cause operators to trust and approve the skill under false assumptions about persistence and host impact.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to send free-form queries, troubleshooting details, SQL text, and instance identifiers to a remote API, but it does not warn that these inputs leave the local environment and may contain sensitive operational or database information. In this skill context, that omission is more dangerous because the examples explicitly include production-like incident details and SQL analysis prompts, increasing the chance that operators will transmit confidential data without realizing the privacy and compliance implications.

Context Leakage

High
Category
Data Exfiltration
Content
--user-agent 'AlibabaCloud-Agent-Skills/alibabacloud-rds-copilot/{session-id}' 2>&1)
echo "$RESULT"

# Extract ConversationId
CONV_ID=$(echo "$RESULT" | grep -oP '"ConversationId":"[^"]+' | head -1 | cut -d'"' -f4)
echo "ConversationId: $CONV_ID"
Confidence
94% confidence
Finding
Extract Conversation

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.