Back to skill

Security audit

Alibabacloud Sas Openclaw Security

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Alibaba Cloud security-operations tool, but it can execute powerful remote commands on ECS instances and save sensitive security data locally.

Install only in a controlled operator environment. Use a tightly scoped RAM role, limit ECS RunCommand permissions to intended instances, review the exact guardrail install command before running it, and treat the output directory as sensitive because it may contain host inventory, vulnerabilities, alerts, and command output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes shell commands, accesses environment-backed credentials, and writes output files, but it does not declare permissions for those capabilities. In an agent setting, missing permission declarations weakens review and policy enforcement, especially because this skill can perform real cloud security operations and remote command execution against ECS instances.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script retrieves a shell command from an API response (InstallKey), wraps it in `bash -c`, and executes it remotely on ECS instances through Cloud Assistant. This creates a powerful remote code execution path controlled by external data, and the command is neither validated nor constrained before execution.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation says the script installs a security guardrail, but does not disclose that the install command is fetched from an API and executed verbatim via `bash -c` on remote hosts. This lack of transparency can cause operators or higher-level agents to trigger a highly destructive side effect without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs operators to install a security guardrail plugin on target instances but does not warn that this action changes remote systems and may affect running workloads, configuration state, or operational stability. In a security-operations skill that can drive infrastructure actions, omission of an explicit modification warning increases the chance of unintended changes being executed without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists a Markdown report and a raw JSON dump containing host identifiers, IPs, vulnerability data, baseline findings, and alert details to disk without any warning, consent flow, or data-minimization controls. In a security-operations skill, this creates a real confidentiality risk because the generated artifacts may remain on shared disks, be picked up by backups, or be exposed to other local users and automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs remote execution of an externally sourced install command on specified instances without any interactive confirmation, policy check, or explicit warning about the side effect. In an agent skill context, this materially increases the risk of unintended or unauthorized software deployment across infrastructure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists the raw installation command, remote command, and per-host execution output to local JSON and Markdown files. If the install command contains secrets, one-time tokens, internal URLs, or host output with sensitive details, these artifacts can leak privileged information to local users, logs, or downstream systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists detailed asset inventory data, including hostnames, instance identifiers, public/private IPs, OS details, and disk information, to local JSON and Markdown files without any minimization, access control, or operator warning. In a security-operations skill, this creates a real data-exposure risk because the generated files can be left on shared workstations, CI runners, or agent environments and later accessed by unauthorized users or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes detailed instance inventory data to disk, including hostnames, IPs, ports, instance IDs, UUIDs, component versions, and paths, without any confidentiality controls, warning, or opt-in. In a security-operations skill, this materially increases exposure because these artifacts can aid lateral movement, targeting, and environment reconnaissance if the output directory is shared, backed up insecurely, or left on disk.

External Script Fetching

High
Category
Supply Chain
Content
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed or version too low,
> run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to update.

**Pre-check: Aliyun CLI plugin update required**
> [MUST] run `aliyun configure set --auto-plugin-install true` to enable automatic plugin installation.
Confidence
98% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.