ClawHub
Back to skill

Security audit

Alibabacloud Waf Rule Management

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a WAF diagnostic helper, but it contradicts its read-only promise by requiring local CLI configuration changes, plugin updates/installs, and shipping an unrelated script that can rewrite a skill file.

Install only if you are comfortable with an agent using Alibaba Cloud credentials to query WAF/SLS data and changing local Alibaba Cloud CLI/plugin state. Prefer a constrained RAM user, review plugin update/install commands before running them, avoid storing sensitive rule or log JSON in shared `/tmp` paths, and remove the unrelated translation script from runtime packages if possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a mismatch because, while the main rule_matcher.py script is broadly consistent with read-only WAF rule-effectiveness diagnosis, the included translate_to_english.py script performs an unrelated write operation on a local skill file. That behavior is not represented in the declared description and violates the stated framing of human-readable, read-only diagnostic guidance. Additionally, the described SLS-querying capability is not present in the provided code; the code consumes provided JSON rather than querying logs itself.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is advertised as read-only and text-only, but it instructs the agent to run `aliyun configure ai-mode enable`, set user-agent, update plugins, and later disable ai-mode. These are local state-changing operations that alter CLI configuration and environment behavior, violating least surprise and potentially affecting other workflows on the host.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly promises no write operations, but later requires plugin updates/installation and CLI configuration changes. This contradiction is dangerous because operators may trust the 'read-only' claim and approve execution that unexpectedly mutates the local system and toolchain.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill bans script/JSON generation and claims text-only output, yet later depends on executing `python scripts/rule_matcher.py` with `rule.json` and `log.json` inputs. This creates a hidden expansion of capability from guidance into local data preparation and code execution, which can mislead reviewers and users about what the skill actually does.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented workflow includes running a local Python diagnosis engine over generated files, which exceeds 'human-readable guidance only' and adds code-execution risk on the host. Even if the script is intended for diagnostics, local execution broadens the trust boundary and can expose users to unintended side effects or supply-chain risk from bundled scripts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Plugin installation/update capability is not necessary for a nominally read-only WAF diagnostic guidance assistant, yet the skill instructs the agent to update plugins. This introduces software-change and supply-chain risk on the host, and may affect unrelated CLI behavior beyond the immediate task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Executing `python scripts/rule_matcher.py` goes beyond the skill's stated text-only purpose and introduces arbitrary local script execution. In a security-sensitive environment, bundled scripts must be treated as code with full review requirements, not as harmless documentation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script opens the skill's SKILL.md for writing and overwrites its contents, which contradicts the stated read-only behavior of the skill. Even though it appears intended for maintenance/translation, this creates an undocumented local file-modification capability that could alter agent behavior or documentation without user awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This script implements documentation rewriting against a local SKILL.md file, which is unrelated to the advertised WAF diagnostic function. Extra capabilities that modify local skill assets expand the attack surface and can be abused to tamper with prompts, instructions, or operator-visible documentation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill directs plugin update/installation without clearly warning the user that this changes local software state and may download code from external sources. Lack of user-impact disclosure increases the chance of unintended host modification in environments that expected read-only diagnostics.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document instructs users to save WAF rule configuration JSON and log entries to predictable paths under /tmp, which is a shared temporary directory on many Unix-like systems. Those files may contain sensitive traffic metadata, rule logic, IPs, headers, or request details, and can be read, overwritten, or retained longer than intended by other local users or processes.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
### 2. NO Script Generation

- ❌ NEVER generate configuration scripts (bash, python, etc.)
- ❌ NEVER output rule JSON examples
- ❌ NEVER write executable CLI commands for configuration
- ❌ NEVER save files to outputs directory or any location
Confidence
26% confidence
Finding
output rule

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal