Back to skill

Security audit

Cloud Architecture Holistic View

Security checks across malware telemetry and agentic risk

Overview

This skill mostly supports Tencent Cloud architecture viewing, but it also bundles sensitive account-access, IAM setup/deletion, insecure TLS fallback, and unrelated publishing-evasion guidance that users should review carefully.

Install only if you intentionally want an admin-capable Tencent Cloud Smart Advisor helper, not just a viewer. Use temporary or least-privilege credentials, avoid storing long-lived AK/SK in shell startup files, review any role creation or authorization prompt, and treat generated console login links as sensitive session material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (36)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a holistic/read-oriented cloud architecture viewer, but it also performs sensitive state-changing operations: creating and deleting CAM roles, attaching policies, persisting configuration, and generating console login URLs via AssumeRole. This mismatch can cause users or downstream agents to authorize far more privilege and side effects than the description suggests, increasing the risk of unintended IAM changes and credential misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide contains operational instructions for bulk publishing, token rotation, and pacing releases to avoid triggering anti-spam controls. That behavior is unrelated to a skill for viewing cloud architecture artifacts and is indicative of guidance for evading platform abuse defenses, which could facilitate mass distribution of malicious or deceptive skills.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The document advises modifying README files, example files, metadata permissions, and dependencies to create artificial variation for publication success. Recommending superficial or unnecessary changes to permissions and dependencies is especially dangerous because it can disguise templated or malicious submissions and may normalize expanding a skill's privilege footprint without legitimate need.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README documents capabilities that materially exceed the skill’s stated purpose of providing a read-only holistic architecture view, including passwordless console access, environment inspection, and references to role/configuration workflows. In an agent skill, capability drift is dangerous because users and reviewers may grant trust based on the manifest while the actual skill surface includes privileged actions and account-access features.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Environment and credential inspection is not clearly necessary for a skill whose purpose is architecture/risk viewing. Even if intended as troubleshooting, such checks often probe for secrets, local configuration, and account state, expanding the skill’s access to sensitive local and cloud metadata beyond what users may expect.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Generating passwordless console login links introduces an account-access capability far beyond passive architecture visibility. This can enable unintended console sessions, privilege misuse, or social engineering if links are generated or shared without strong user awareness and access controls.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Referencing IAM/CAM role creation, setup, and cleanup within a skill presented as a viewer materially expands it into identity and configuration management. These are privileged operations that can change trust relationships or remove configuration, creating risk of account modification, persistence, or service disruption.

Intent-Code Divergence

High
Confidence
88% confidence
Finding
The README claims secrets are not transmitted over the network, yet also states AK/SK authentication is used to call Tencent Cloud APIs. Even if raw secrets are only used for signing, this wording is misleading and can cause users to underestimate exposure and trust the skill’s handling of credentials without understanding that signed authenticated requests are sent to the cloud.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation inconsistently describes the role permissions: one section says the role is for read-only Advisor access, while another says it attaches full read/write TAG and Advisor permissions. Inconsistent privilege disclosure can mislead users into granting broader rights than intended and makes security review and least-privilege enforcement unreliable.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented API operation explicitly enables Smart Advisor authorization and also turns on report interpretation and cloud architecture collaboration permissions. That is a state-changing permission grant, which exceeds the skill's stated read-only purpose of providing a holistic architecture view and could lead an agent or user to authorize broader access than necessary.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Granting Smart Advisor, report interpretation, and collaboration permissions is not necessary to merely display architecture diagrams, directories, and risk assessments. In the context of a view-oriented skill, including an API that broadens account permissions increases the risk of privilege expansion and unauthorized changes to the tenant's security posture.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script claims to be read-only, but `save_config` writes role/account data to `~/.tencent-cloudq/config.json` and changes filesystem permissions. This behavior violates user expectations and can create persistence of sensitive cloud-account metadata, which is especially concerning in a security-sensitive environment-checking skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation goes beyond read-only listing of architecture diagrams and explicitly instructs the agent to generate passwordless console login links for returned resources. This expands the skill from data retrieval into delegated console access, which can expose sensitive cloud architecture details and enable unintended account access paths if links are generated for the wrong user, context, or resource.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script can delete a Tencent CAM role from the cloud account, which is a destructive capability unrelated to the advertised purpose of providing a holistic architecture view. In a skill presented as read-only visibility tooling, hidden or undocumented identity-management deletion behavior increases the risk of surprising privilege-impacting actions and account disruption.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script deletes local config, cache, and credential-related environment state even though the skill is described as architecture visibility software. This mismatch is dangerous because users may install or run the skill expecting passive inspection, not local state destruction that can disrupt tooling, erase evidence, or interfere with credentials.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code enumerates credential-related Tencent Cloud environment variables, displays masked values, and writes shell scripts that manipulate those variables. For an architecture-view skill, handling credential state is unnecessary and expands the blast radius around secrets, especially because generated scripts in temporary directories can be abused or misused in multi-user environments.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script creates a persistent CAM role and enables console login, which is an IAM write action far outside the stated purpose of providing a read-oriented holistic architecture view. In the context of an architecture-visibility skill, silently provisioning identity infrastructure materially expands access and creates long-lived privilege pathways that could be abused later.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code provisions persistent privileged access by creating an 'advisor' role and attaching broad policies such as QcloudTAGFullAccess and QcloudAdvisorFullAccess, then stores the resulting configuration for reuse. For a skill advertised as viewing architecture diagrams, directories, and risk assessments, creating durable IAM access is unjustified and increases the blast radius if the skill or host is later compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script is explicitly designed to read long-lived Tencent Cloud credentials from environment variables and potentially local configuration in order to mint a passwordless console login URL. That capability materially exceeds a read-only 'holistic architecture view' and creates an account-access primitive that could be abused for interactive console access if the role is privileged.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The code performs account identity discovery and persists the account UIN in a temp-directory cache file without strong justification for the stated skill purpose. This adds unnecessary local data persistence and account metadata exposure, and on shared systems the temp-file cache may be readable or tampered with by other users or processes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file's primary function is to generate a Tencent Cloud passwordless console login URL, not to directly provide architecture diagrams or assessments. In the context of a skill advertised as an architecture viewer, this hidden authentication and console-access behavior is especially risky because users may not expect it and may supply powerful credentials.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This setup flow can create a new CAM role and attach broad policies, which materially changes account authorization state. That exceeds the stated read-oriented 'architecture viewing' scope and increases blast radius if the skill is misused, compromised, or run by a user who does not fully understand the privilege changes.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script requires long-lived cloud API credentials from environment variables for a workflow that is presented as an architecture-viewing helper. Even though it does not visibly exfiltrate them in this file, collecting high-value secrets raises exposure risk and is more dangerous because the same script also performs privileged IAM/CAM modifications.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This file implements a fully generic Tencent Cloud API client that accepts arbitrary service, host, action, version, payload, and region values, which exceeds the stated purpose of providing a holistic architecture view. In the context of a skill that has access to account credentials, this broad capability can be repurposed to query unrelated data or invoke sensitive control-plane APIs, significantly expanding blast radius.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code automatically pulls Tencent Cloud credentials and token from environment variables, giving the script authenticated access to whatever permissions are attached to those secrets. In this skill context, that is dangerous because a supposedly architecture-view tool can silently inherit broad account-wide privileges without explicit user confirmation or scope restriction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
advisor-2020-07-21/调用方式/签名方法 v3.md:779

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
advisor-2020-07-21/调用方式/签名方法.md:484

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/login_url.py:86

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/tcloud_api.py:50