ClawHub
Back to skill

Security audit

Architecture Dashboard & Risk Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a Tencent Cloud architecture helper, but it also includes admin-level cloud role changes, credential use, console login link generation, and unrelated bulk-publishing evasion guidance.

Install only if you intentionally want an admin-capable Tencent Cloud Smart Advisor helper, not just an architecture viewer. Use short-lived or least-privilege credentials, avoid storing long-lived AK/SK in shell startup files, review any role creation or advisor authorization step, and treat generated console login links as sensitive session material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (36)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill's public description suggests a read-oriented architecture dashboard and risk review tool, but the body includes materially more sensitive behaviors: credential validation, local config persistence, IAM role creation/deletion, STS role assumption, and service authorization writes. This mismatch can mislead users and downstream systems into granting trust to a skill that performs privileged cloud and local-environment changes beyond what its summary implies.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This document is unrelated to the stated skill purpose and instead provides operational guidance for bulk publishing many skills while avoiding platform anti-spam enforcement. In the context of a skill package, that materially increases supply-chain abuse risk by enabling mass deployment tactics associated with prior malicious campaigns.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The guide gives explicit advice on token rotation, staggered publishing, and modifying content to reduce anti-spam detection, which is classic abuse-enablement content. These instructions help an operator circumvent platform protections designed to stop mass malicious or low-quality uploads, making the skill package dangerous beyond normal documentation concerns.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README describes capabilities beyond the declared skill purpose of architecture dashboarding and risk review, specifically generating passwordless console login links. Expanding a skill's effective scope to include account-access functionality increases attack surface and can mislead users or reviewers about what privileged actions the skill may enable.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Passwordless console login generation is materially more sensitive than architecture viewing or risk reporting because it facilitates direct authenticated access into a cloud console. In this skill context, that capability is unexpected and could enable privilege use or session handoff without users appreciating the security implications.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document inconsistently describes the attached Advisor policy as read-only in one section and full read/write in another, while later also mentioning `QcloudTAGFullAccess`. Permission-description contradictions are dangerous because users may consent under a false assumption of least privilege, leading to overbroad cloud access being granted.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file includes sample code that accesses Tencent Cloud credentials from environment variables and uses them to sign requests. Reading secrets is not inherently malicious in API client documentation, but in the context of a skill whose stated purpose is architecture dashboard/risk review, this capability is outside scope and enables credential use against cloud APIs if the content is repurposed or executed by an agent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The entire file is focused on Tencent Cloud API signing and direct API invocation rather than the advertised architecture dashboard and risk review functionality. This mismatch materially increases risk because it introduces cloud API access patterns, credential usage, and request construction instructions that are unrelated to the declared skill purpose and could facilitate unauthorized or unexpected external actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script persists role/account configuration to disk even though it presents itself as an environment-check tool. Silent state changes from a supposedly read-only checker are dangerous because users and calling automations may grant it trust they would not give to a configuration-writing utility.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code goes beyond passive health/risk review by discovering IAM role state, auto-configuring role metadata, and validating console-login role assumption. In the context of a dashboard/risk-review skill, this scope expansion is risky because it touches privileged identity workflows that users may not expect from the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
Running another local Python program to validate privileged login behavior introduces an extra execution surface and implicitly trusts another script to handle sensitive role-assumption logic correctly. In a dashboard/risk-review context, executing auxiliary code for login validation is more dangerous because it broadens privilege-related behavior beyond the advertised scope.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module docstring claims the script is read-only and will not modify configuration, but the code later writes config data when it detects an existing role. This mismatch is dangerous because deceptive or inaccurate safety claims can cause users and automation to execute the script under false assumptions, enabling unwanted persistence and trust abuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation instructs the agent to generate a passwordless console login link whenever architecture details are returned, which expands a read-oriented API into an authenticated access broker. This creates a risky privilege transition: a user asking for architecture metadata could be given a direct console-entry link without an explicit, justified access-control step or user warning, enabling unauthorized or overly broad console access if the link is exposed or misused.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill is described as an architecture dashboard with risk review, but this section requires creating direct passwordless console links that are not necessary for simply displaying architecture details. That mismatch makes the behavior more dangerous because it introduces a sensitive access capability unrelated to the apparent user task, increasing the chance of covert privilege escalation or accidental disclosure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file is a destructive cleanup utility that deletes local configuration, cached data, and optionally a remote Tencent CAM role, which is unrelated to an architecture dashboard/risk-review skill. In a skill context, bundling deletion of credentials/config and cloud IAM resources materially increases the chance of misuse, accidental execution, or supply-chain abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code enumerates Tencent Cloud credential-related environment variables, generates shell scripts to unset them, and can use AK/SK from the environment to delete a remote CAM role. Those capabilities are unjustified for a dashboard/review skill and create unnecessary access to secrets and privileged cloud operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script provisions a CAM role and attaches broad managed policies (QcloudTAGFullAccess and QcloudAdvisorFullAccess), which expands account privileges beyond a read-only architecture dashboard/risk review use case. Even if documented as requiring consent, the code is designed to perform IAM write operations and persist the resulting role configuration, making the skill materially more dangerous if invoked in an automated or semi-trusted agent context.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script’s primary function is to generate Tencent Cloud console SSO login URLs from long-lived credentials and STS role assumption, which is a privileged access capability unrelated to a normal architecture dashboard or risk review feature. In this skill context, that mismatch materially increases risk because it can be used to mint console access links and pivot into cloud administration workflows.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code accepts long-lived cloud secrets and role configuration from environment variables and local config files, expanding the trust boundary far beyond what an architecture dashboard should need. In this context, handling persistent credentials enables credential misuse and unauthorized cloud access if the skill is triggered unexpectedly or run in a shared environment.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This setup script creates an IAM/CAM role and attaches broad privileges (`QcloudTAGFullAccess`, `QcloudAdvisorFullAccess`) despite the skill being presented as a dashboard/risk-review tool. Even with user confirmation, this materially changes the cloud security posture and exceeds the least-privilege expectations for a monitoring-oriented skill, making accidental over-permissioning likely.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The core API function is intentionally generic: it accepts arbitrary service, host, action, version, payload, and region values, which enables broad Tencent Cloud access far beyond an architecture dashboard or risk review use case. In this skill context, that scope mismatch is dangerous because any component invoking this helper can repurpose the skill into a general cloud control-plane client using ambient credentials.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The CLI entrypoint exposes the generic API caller directly to user-supplied arguments, allowing arbitrary Tencent Cloud API invocation when the script is executed. In a skill advertised for architecture dashboard risk review, this greatly increases abuse potential because the tool can be used to access unrelated services or perform unintended actions with configured credentials.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The file header and usage examples explicitly present this as a general Tencent Cloud API signing and invocation utility, which contradicts the declared architecture-dashboard/risk-review scope. That documentation is a meaningful security signal because it indicates the code was designed for broad reuse rather than least-privilege, purpose-limited operation.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The sample trigger phrases are broad, natural-language requests that could overlap with ordinary conversation and cause accidental invocation of the skill. Because this skill can access cloud architecture data and potentially generate login links, accidental triggering in a chat assistant context raises the risk of unintended sensitive operations or disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises passwordless login link generation without sufficient warning about its account-access implications, which can normalize a high-risk action as a convenience feature. Users may click or request such links without understanding that this can create authenticated console access pathways and increase the chance of misuse or phishing-style confusion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal