Tencent EdgeOne

Security checks across malware telemetry and agentic risk

Overview

This EdgeOne cloud-management skill is mostly purpose-aligned, but it includes under-disclosed automatic account and local-environment changes that users should review before installing.

Install only if you are comfortable giving an agent access to your Tencent Cloud/EdgeOne account through tccli. Before use, require explicit confirmation for every write, purchase, certificate deployment, cache purge, IP blocklist change, package upgrade, and especially any CAM service-linked role creation; avoid running it on vague troubleshooting requests unless you have clearly confirmed the target EdgeOne account, zone, domain, time range, and intended action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (13)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description says to use this skill whenever a user mentions any EdgeOne/EO-related configuration, operations, querying, or troubleshooting needs, which is broad enough to trigger on loosely related requests. In an agentic environment, this can cause unintended activation and unnecessary loading of API-oriented instructions, increasing the chance of inappropriate tool use or user confusion.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases for entering the 'add acceleration domain' flow are broad enough that normal user utterances like 'add domain' or 'configure acceleration domain' may invoke a state-changing workflow without sufficient specificity. In an agent setting, ambiguous invocation increases the chance of unintended DNS/configuration changes, especially because later steps can alter production traffic if the agent misroutes the conversation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to automatically create a CAM service-linked role when DNSPod hosting creation fails due to missing authorization, but it does not require an explicit user-facing warning that account permissions are being modified. Creating IAM/CAM roles is a privileged security-sensitive action, and doing so automatically can expand service access and violate least-privilege or change-management expectations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to run a package-manager upgrade of `tccli` automatically at the start of each session, which changes the user's local environment without explicit consent or warning. Even though the command is framed as best-effort and non-blocking, automatic upgrades can introduce supply-chain risk, break existing workflows, or modify system state unexpectedly, which is unsafe behavior for an agent skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document instructs the agent to automatically create a CAM service-linked role when a DNSPod authorization error occurs, but it does not require explicit user consent or a clear warning that account permissions will be changed. Even if the role is limited in scope, silently altering IAM/CAM configuration is a sensitive action that can surprise users, violate least-astonishment expectations, and expand access without informed approval.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The best-practice pseudo-code recommends catching an authorization error, silently creating the service-linked role, and retrying automatically. This normalizes privilege-affecting changes without user awareness, making the skill capable of modifying security-sensitive account configuration as part of routine workflow, which increases the risk of unauthorized or unexpected privilege enablement.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The error-handling guidance explicitly tells the skill to say only 'Configuring service authorization for you...' and then automatically create authorization, minimizing meaningful disclosure. In the context of an operational cloud-management skill, this is more dangerous because users may assume the agent is only checking status, while it is actually changing IAM/CAM state in their account.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger examples for Scenario A include very generic help-seeking phrases such as asking to analyze logs or find anomalies, which can match ordinary troubleshooting requests without a clear EdgeOne/log-analysis context. In an agent-routing setting, this increases the chance of unintended skill invocation, causing the system to pull and process potentially sensitive log data when the user may not have intended that specific action.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Scenario B uses ambiguous phrases like asking when failures were concentrated recently or which period had the most 5xx errors, without sufficiently scoping the request to EdgeOne logs, a specific domain, or a known dataset. This can cause the skill to activate on generic observability questions and initiate log retrieval or analysis beyond the user's intended scope.

Vague Triggers

Low

Confidence: 80% confidence
Finding: Scenario C trigger phrases like asking which resources use the most bandwidth or for per-resource traffic breakdown are broad analytics requests that overlap with ordinary reporting tasks. While less severe than fault-analysis scenarios, they still risk misrouting users into a workflow that downloads and parses access logs, exposing more detailed operational data than necessary.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The Scenario A trigger list includes broad natural-language phrases such as general troubleshooting requests, which can cause the skill to activate when the user did not clearly intend to invoke this specific capability. In an agent setting, overbroad activation can lead to unnecessary account-level diagnostic actions and unexpected API usage against production observability data.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Scenario B also uses broad phrases like generic troubleshooting language that overlaps with common speech, increasing the chance of accidental invocation outside the intended EdgeOne context. This can cause the agent to perform comparative edge/origin diagnostics and potentially query account-wide operational data without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list contains many broad natural-language phrases such as 'help me check security templates' and 'what's the template binding status' that may match routine support or exploratory questions, causing the skill to activate when the user did not clearly request this specific audit workflow. In a security-focused skill, unintended invocation can expose security inventory details, produce misleading audit conclusions, or steer the agent into querying sensitive configuration data without sufficiently precise user intent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal