Back to skill

Security audit

Alibabacloud Tablestore Agent Storage

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Alibaba Cloud Tablestore knowledge-base work, but it asks for high-impact cloud and local authority without enough confirmation, containment, or secret-storage safeguards.

Install only if you are comfortable granting Alibaba Cloud Tablestore/OSS authority and reviewing each cloud mutation. Before use, avoid storing raw AK/SK or STS tokens in the generated JSON file, require explicit confirmation before any instance creation or scheduled sync, review the exact local directory and file filters being uploaded, and prefer verified/manual CLI installation paths over curl-to-bash or sudo installer shortcuts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill explicitly says secrets must be handled through backend code and not exposed, yet the documented workflow persists access_key_id, access_key_secret, and sts_token into a local JSON config file. Storing cloud credentials in plaintext on disk materially increases the risk of credential theft through source control leaks, local compromise, backups, or accidental sharing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The guide recommends a one-click installer that fetches and executes remote shell content with root privileges via `curl ... | sudo bash`. That pattern removes opportunities for integrity verification and turns any compromise of the download source, transport, or copy-pasted command into immediate privileged code execution on the user's machine.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to automatically create a Tablestore instance if one does not exist, which is a side-effecting cloud resource operation with cost and governance implications. Performing infrastructure creation without explicit user confirmation can lead to unauthorized provisioning, unexpected billing, and policy violations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow mandates writing configuration, including credentials, to a local file without a clear user-facing warning about sensitive data storage. In a cloud administration context, this is especially risky because leaked credentials can enable broad access to OTS and OSS resources beyond the intended knowledge base operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends piping a remotely fetched script directly into Bash, which executes unreviewed network content immediately on the user's system. In an agent skill context, users may follow copy-pasted setup commands with elevated trust, increasing the risk of supply-chain compromise, MITM, or accidental execution of changed installer logic.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to use sudo to place a binary into /usr/local/bin without warning that this modifies system state and grants elevated privileges to the installation step. While common for CLI installation, undocumented privileged modification can lead users to run unverified binaries as part of a trusted workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This repeats the same curl-pipe-to-bash pattern on macOS, causing immediate execution of remote code with no review or integrity verification step. Because this is presented as a recommended one-click installation method, users are nudged toward a higher-risk setup path than necessary.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The macOS TGZ workflow downloads a binary and then uses sudo to install it into a system path without any integrity verification or warning about privileged changes. The main risk is not that sudo is inherently malicious, but that the documentation normalizes privileged installation of an unverified download.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Enabling automatic plugin installation allows future CLI commands to fetch and install additional code automatically, expanding the trust boundary beyond the base CLI. In a skill intended for knowledge-base and storage workflows, this is more dangerous because users may run many follow-on commands and may not realize new executable components can be installed implicitly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The `ossutil sync ... --delete` example is destructive because it will delete remote objects that are absent locally, but the guide does not clearly warn about the deletion semantics. In a knowledge-base/storage context, users may run the command during routine sync and unintentionally erase production content or indexed documents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Piping a remotely fetched script directly into `sudo bash` is an unsafe installation pattern because users execute unreviewed network content as root without validation. This is especially risky in an agent/storage skill because operators may run setup commands on sensitive workstations or servers holding cloud credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented agent workflow instructs automatic creation of a cloud Tablestore instance when one does not exist, but it does not require explicit user confirmation or warn about resource provisioning and billing consequences. In an agent context, this can lead to unintended paid cloud resources being created from ambiguous or indirect user requests, creating both cost exposure and governance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.