Back to skill

Security audit

Cloud Architecture Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill mostly relates to Tencent Cloud Smart Advisor, but it also includes broad cloud-account administration and unrelated bulk-publishing tooling that users should review carefully before installing.

Install only if you are comfortable granting this skill Tencent Cloud credentials and reviewing every privileged operation. Use a least-privilege subaccount, avoid the bundled bulk-publishing files, do not approve CAM role creation or Smart Advisor authorization unless needed, and treat generated console login links as sensitive temporary access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (31)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as architecture discovery, but it also performs IAM role creation/deletion, STS AssumeRole login-link generation, local config/cache management, environment-variable cleanup, and remote version checking. These are materially broader and more sensitive behaviors than the headline description, which can mislead users into granting powerful permissions they did not expect.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is a bulk publishing playbook unrelated to the stated Tencent Cloud architecture discovery function, which strongly suggests hidden secondary behavior or repository repurposing. Its focus on mass skill publication after a prior supply-chain incident materially increases suspicion that the skill package is being used to facilitate ecosystem abuse rather than its declared purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions explicitly optimize around platform rate limits and include token rotation for repeated publishing, which is functionality unrelated to a cloud discovery skill and indicative of anti-abuse evasion. In the context of a skill ecosystem previously hit by a supply-chain attack, this guidance can enable large-scale malicious distribution and make detection harder.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide recommends changing README files, examples, metadata, and other superficial content specifically to increase apparent differences across many skills. That is a classic tactic for evading duplicate/spam detection and can be used to push deceptive or low-quality packages through marketplace review controls.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The README markets the skill as cloud architecture discovery, but it also documents materially different capabilities including console login-link generation, role setup/creation, diagnostics, and cleanup. This scope mismatch can cause users or reviewers to grant trust and credentials for a narrower purpose than the skill actually supports, increasing the risk of over-privileged deployment and unsafe invocation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security section claims AK/SK are not transmitted over the network, but the documented design uses those credentials to authenticate Tencent Cloud API requests. Even if the raw secret key is not sent verbatim, the credentials are used in signed outbound requests, so the claim is misleading and may cause users to underestimate credential exposure and network trust requirements.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation contradicts itself on what policy is attached to the created role, creating ambiguity around granted privileges. In security-sensitive IAM setup, inconsistent policy descriptions can cause users to approve broader access than intended or operators to deploy the wrong policy set.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill describes the role as effectively read-only in one place, but later states it grants full read/write access via broad policies. This mismatch weakens informed consent and may lead users to authorize permissions under a false assumption of limited access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as discovery/view-only, but the documented API includes CreateAdvisorAuthorization, which enables Smart Advisor authorization and changes account state. This mismatch can mislead users or downstream systems into granting a skill broader capabilities than expected, increasing the risk of unintended authorization changes during supposed read-only operations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented API performs a state-changing authorization action ('开启智能顾问授权') rather than a read-only discovery operation. In a skill advertised as cloud architecture discovery, including an endpoint that grants authorization and also enables additional report-interpretation and collaboration permissions expands scope beyond inventory/view access and could cause unauthorized privilege or feature enablement if invoked by an agent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation explicitly states that enabling Smart Advisor authorization will also enable report interpretation and cloud architecture collaboration permissions. That contradicts the stated purpose of a discovery-only skill and makes the skill more dangerous because a seemingly benign architecture-mapping capability can silently broaden access and collaboration features.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The environment check enforces remote version validation via an external CLI and blocks use until an update occurs, which goes beyond local readiness checking for an architecture-discovery skill. In a security-sensitive setup flow, this can create unnecessary external trust dependencies and pressure users to install/update code before using the tool.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script claims to be detection-only but automatically writes role configuration to disk when it discovers a suitable role. That hidden state change can surprise users, persist sensitive account metadata, and violate least astonishment during a supposedly read-only check.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module docstring states the script is read-only and will not modify configuration, yet the code later writes config.json to the user's home directory. Misrepresenting side effects is dangerous in credentialed cloud tooling because users may run it expecting no persistence while it stores account and role information locally.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script performs destructive local cleanup and can optionally delete a cloud CAM role, which materially exceeds the stated skill purpose of architecture discovery. In a discovery-focused skill, bundling deletion functionality creates an unexpected and risky capability that could cause loss of configuration, credentials context, or cloud access if invoked by a user or wrapper automation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can delete a Tencent CAM role named advisor using available credentials, which is an IAM-destructive action unrelated to cloud architecture discovery. If run in an automated or misunderstood context, it could remove access paths or break integrations, especially because the role name is fixed and the action is real cloud-side state change.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script performs privileged IAM write operations by creating a CAM role and attaching broad policies, which exceeds the skill's stated read-only cloud architecture discovery purpose. In an agent/skill context, this creates unexpected authority changes in the user's cloud account and can expand access surface or establish persistence if run with valid credentials.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script reads Tencent Cloud credentials from environment variables and uses them to perform IAM administration unrelated to architecture discovery. While reading environment credentials is common for cloud tooling, in this skill it becomes dangerous because those credentials are used for privileged write actions that users may not expect from a discovery feature.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The fallback SSL logic explicitly disables certificate validation and hostname verification when certifi is unavailable, allowing man-in-the-middle interception of STS requests and temporary credential exchange. In this script, that is especially dangerous because it handles long-lived cloud API credentials and returns passwordless console login URLs, so intercepted traffic can lead to account access.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file's purpose is to generate Tencent Cloud passwordless console login URLs via STS AssumeRole, which is materially different from the declared skill purpose of architecture discovery and topology/resource mapping. That capability expands the blast radius from read/discovery behavior to interactive console access, enabling privilege use outside the expected scope of the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The setup script does more than discovery: it offers to create a CAM role and attach permissions, modifying the user's cloud IAM configuration. In a skill described as architecture discovery, this is security-sensitive because it expands privileges and changes account state beyond read-only inspection, increasing blast radius if the skill or its assumptions are wrong.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Including `QcloudTAGFullAccess` grants broad tag-management capabilities that exceed what is typically necessary for architecture discovery. If this role is assumed by the skill or exposed through generated console access, it could allow unintended modification of resource tags across the account, which may affect automation, billing, access-control logic, or inventory systems.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module exposes a fully generic Tencent Cloud API client that accepts arbitrary service, host, action, version, payload, and region values rather than restricting calls to architecture-discovery endpoints. In the context of an agent skill, this broad capability can be repurposed to query or modify unrelated cloud resources if the invoking workflow or prompts are influenced by an attacker.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The example prompts are broad and overlap with normal user conversation, without clear trigger boundaries or exclusions. In an agent setting, ambiguous invocation can cause the skill to activate unexpectedly and access cloud metadata, generate links, or initiate sensitive workflows when the user did not intend to use this specific skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown presents a permission-impacting authorization action as routine API usage without a clear warning about the security consequences. In agent-consumable documentation, this omission is risky because an automated system or user may treat the endpoint as part of normal discovery setup and trigger account-level authorization changes without understanding the side effects.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
advisor-2020-07-21/调用方式/签名方法 v3.md:779

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
advisor-2020-07-21/调用方式/签名方法.md:484

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/login_url.py:86

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/tcloud_api.py:50