Back to skill

Security audit

Alibabacloud Sls Sdk Guidance

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Alibaba Cloud SLS SDK guidance skill, with no executable behavior, but users should handle log contents and cloud credentials carefully.

Install only if you want Codex to provide Alibaba Cloud SLS SDK guidance. Before using generated examples in production, prefer STS or role-based credentials, avoid shipping static AccessKeys in mobile apps, redact secrets and personal data from logs, and review retention, consent, and data-residency requirements for anything sent to SLS.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Android example demonstrates obtaining long-lived Alibaba Cloud AccessKey credentials in a mobile-client context, which is unsafe because mobile apps are distributed to untrusted devices and can be reverse engineered, instrumented, or memory-inspected. Even though the snippet uses environment variables, that does not make the credentials safe on Android and it normalizes a static-credential model that conflicts with least-privilege mobile design.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The basic example teaches one authentication pattern while the later section advises the opposite, creating a misleading default that developers are likely to copy verbatim. In a mobile SDK guidance document, placing static AccessKey usage in the first example materially increases the chance that insecure credential handling will be adopted in production apps.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes an Android logging SDK that uploads application logs and explicitly mentions companion libraries for crash, block, network-quality, and trace collection, but it does not present a prominent user-facing warning about telemetry and potential sensitive-data transmission. In a guidance skill, this omission can cause developers to integrate client-side logging without adequate privacy review, consent handling, or data-minimization controls, increasing the risk of accidental collection and export of sensitive user or device data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guidance highlights asynchronous background transmission and optional persistent local binlog storage, but it does not warn that logs may contain sensitive user, device, or application data that could be retained on disk and transmitted automatically. In a mobile context, this omission can lead developers to enable durable logging without considering consent, minimization, retention, encryption, and platform privacy requirements.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document promotes asynchronous background transmission and optional offline persistence of logs on a mobile device, but it does not clearly warn that logs may contain sensitive user, device, or application data that will be stored locally and transmitted later. In an SDK guidance context, this omission can lead developers to enable persistence by default without considering consent, retention, encryption, or platform data-protection requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples show AccessKey ID and AccessKey Secret being supplied directly in mobile app configuration before any immediate warning that static credentials must not be shipped in production. In a client-side iOS app, embedded long-lived secrets can be extracted through reverse engineering, allowing attackers to write logs, abuse the associated cloud account, or pivot into broader service misuse depending on granted permissions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to transmit application logs to a remote cloud service and includes configuration fields for cloud access credentials, but it does not warn about sensitive data export, secret handling, or the risk of logging confidential information. In documentation that is likely to be copied verbatim into production systems, this omission can lead to accidental credential exposure in config files and unintended exfiltration of sensitive application data to SLS.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guidance instructs users to forward application logs directly to SLS and lists the fields transmitted, but it does not explicitly warn that logs may contain secrets, personal data, tokens, request contents, stack traces, or other sensitive material. In a logging-integration skill, this omission is meaningful because users may enable broad appender-based collection with no code changes, increasing the chance of unintentionally exporting sensitive data to a remote service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document promotes a Log4j2 appender that forwards application logs directly to Alibaba Cloud SLS but does not warn that logs may contain sensitive data such as credentials, tokens, personal data, or internal system details. In a logging-integration guide, that omission can cause users to enable broad log export without reviewing data minimization, redaction, or compliance requirements.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-start example references cloud access credentials and encourages direct use in configuration without any adjacent guidance on secret handling. Even though environment-variable substitution is better than hardcoding, the lack of warnings may lead users to expose long-lived keys in config files, logs, source control, or overly permissive runtime environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance promotes direct, automatic forwarding of Log4j2 application logs to SLS but does not warn that logs often contain secrets, tokens, personal data, request payloads, stack traces, or other sensitive fields. In a logging integration skill, omission of data-minimization and redaction guidance is dangerous because users may enable centralized export broadly and unintentionally exfiltrate sensitive data to a remote service.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guidance instructs users to forward application logs to a remote SLS service but does not warn that logs commonly contain sensitive data such as credentials, tokens, personal data, request contents, or stack traces. In this skill context, the omission is more dangerous because it is operational guidance intended for direct adoption in production logging configurations, increasing the chance of unreviewed bulk exfiltration of sensitive telemetry.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document instructs users to send application logs to a remote cloud logging service but does not warn that logs may contain sensitive data such as credentials, tokens, personal data, or internal system details. In a logging-guidance skill, omission of privacy and data-handling cautions can lead users to forward sensitive information off-host without appropriate review or redaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example demonstrates use of cloud credentials from environment variables without any warning about secure credential handling, credential scope, or avoiding disclosure in logs and shell history. While using environment variables is common, presenting credential use in a copy-paste example without security guidance can normalize unsafe operational practices and lead to accidental exposure or overprivileged access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.