ClawHub
Back to skill

Security audit

Alibabacloud Waf Config Backup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Alibaba Cloud WAF backup skill, but it needs review because it runs dynamically built shell commands with cloud credentials and exports sensitive security configuration.

Install only if you are comfortable reviewing and running the bundled Python script in an isolated environment. Use a read-only RAM user or short-lived credentials, avoid entering secrets in command-line arguments, and protect the generated workbook because it contains detailed WAF rules, protected assets, account topology, and raw configuration JSON. A safer version would remove shell=True, pass CLI arguments as argv arrays, and make plugin/config changes explicit and optional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
last_err = ""
    for attempt in range(1, RETRY_MAX + 1):
        try:
            result = subprocess.run(
                cmd, shell=True, capture_output=True, text=True,
                timeout=CLI_TIMEOUT_SEC,
            )
Confidence
96% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=CLI_TIMEOUT_SEC, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requires shell execution, network access, and file reads, but it does not declare permissions or boundaries for those capabilities. Because it invokes external installers, updates CLI plugins, and runs a bundled Python script that reads local files and accesses cloud APIs, the lack of explicit permission declarations weakens reviewability and increases the chance of overbroad or unexpected execution in the agent environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide shows access keys and secrets being passed directly on the command line, which can expose credentials via shell history, process listings, audit logs, and agent telemetry. In an automation-focused skill, this is more dangerous because users may copy these examples into CI jobs, terminals, or orchestrators where secrets are widely logged or retained.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide recommends non-interactive configuration for scripts and agents without warning that this can persist long-lived credentials in ~/.aliyun/config.json in plaintext-like form. In the context of an agent skill for cloud backup, that increases risk because the host may be multi-user, ephemeral-but-logged, or subject to artifact collection and debugging.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workbook intentionally exports extensive WAF configuration, including raw JSON for domains, bindings, templates, and rules, into local .xlsx files with no sensitivity warning, access control, or redaction. These backups can expose security policy internals, protected asset inventory, account topology, and other operationally sensitive details that would materially aid an attacker if the file is shared, synced, or stored insecurely.

Unvalidated Output Injection

High
Category
Output Handling
Content
import subprocess, json

def run_cli(cmd):
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    if result.returncode != 0:
        return None
    return json.loads(result.stdout)
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
last_err = ""
    for attempt in range(1, RETRY_MAX + 1):
        try:
            result = subprocess.run(
                cmd, shell=True, capture_output=True, text=True,
                timeout=CLI_TIMEOUT_SEC,
            )
Confidence
97% confidence
Finding
subprocess.run( cmd, shell=True, capture_output

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
f"--instance-id {instance_id} --rule-type {rule_type} "
                f"--query '{query_args}'")
    rules = paginate(base_cmd, "Rules", profile)
    return rules


# === Excel Writing Helpers ===
Confidence
85% confidence
Finding
return rules

Tool Parameter Abuse

High
Category
Tool Misuse
Content
import subprocess, json

def run_cli(cmd):
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    if result.returncode != 0:
        return None
    return json.loads(result.stdout)
Confidence
97% confidence
Finding
subprocess.run(cmd, shell=True

Tool Parameter Abuse

High
Category
Tool Misuse
Content
last_err = ""
    for attempt in range(1, RETRY_MAX + 1):
        try:
            result = subprocess.run(
                cmd, shell=True, capture_output=True, text=True,
                timeout=CLI_TIMEOUT_SEC,
            )
Confidence
95% confidence
Finding
subprocess.run( cmd, shell=True

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal