Back to plugin

Security audit

Volcengine Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Volcengine cloud-operations bundle, but it needs Review because it combines broad cloud/database write authority with under-disclosed automatic telemetry and uneven safeguards.

Install only if you intend to let the agent operate a Volcengine account. Review and disable telemetry if unwanted, use least-privilege or temporary credentials, avoid high-privilege profiles, require explicit approval before writes/deletes, and be cautious with database service-role keys, Terraform apply scripts, --yes deployment commands, and any action involving billing, domains, IoT, security workflows, or production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (235)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions while instructing the agent to use shell execution, network access, environment variables, and file interactions to install the CLI, authenticate, and call helper scripts. This creates a governance gap: a caller or platform may treat the skill as low-privilege even though it can authenticate to a cloud account and perform broad cloud-management actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill advertises itself as a general Volcengine CLI wrapper, but the instructions also rely on auxiliary Python scripts that fetch API metadata, drive remote login flows, and send extension API requests outside the normal `ve` command path. This mismatch can mislead reviewers and users about the true attack surface, especially because direct API invocation and OAuth helper orchestration may bypass assumptions tied to the CLI-only model.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The extension helper exposes `sec_agent` workflow-execution APIs such as `RunPcapAnalyzer`, `RunSensitiveDataDetector`, and related security-analysis actions inside an infrastructure-management skill. This materially expands the skill's capability beyond expected Volcengine CLI resource administration and could let a user or downstream agent invoke high-sensitivity analysis workflows on arbitrary data, increasing the attack surface and creating cross-domain misuse risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file registers many APIs outside the advertised cloud-resource-management scope, including domain registration, trademark operations, IoT device control, and security-analysis workflows. In an agent skill, this creates a capability mismatch that can let prompts trigger sensitive actions the user and platform may not expect, increasing the risk of overbroad access and prompt-driven misuse.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger conditions are broad enough to activate on generic infrastructure or troubleshooting requests, including vague references to 'cloud resources' or Chinese mentions of 火山. Over-broad activation increases the chance that a powerful cloud-management skill is invoked in the wrong context, which can expose account identity, start auth flows, or steer users into risky operational paths unintentionally.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation includes a force-deletion command for a load balancer without any adjacent warning that it is destructive and may remove dependent resources. In an infrastructure-management skill, operators may copy commands directly, so omission of safety context increases the chance of accidental service disruption or irreversible deletion.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper can directly execute write and destructive operations such as create, stop, delete, register, or restart actions without any built-in confirmation, policy gating, or dry-run requirement. In an agent context, that is dangerous because prompt mistakes, prompt injection, or ambiguous user intent can lead to irreversible cloud or service changes.

Unvalidated Output Injection

High
Category
Output Handling
Content
def check_ve_login_status() -> str:
    try:
        completed = subprocess.run(
            ["ve", "sts", "GetCallerIdentity"],
            check=False,
            capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["ve", "sts", "GetCallerIdentity"], check=False, capture_output

Credential Access

High
Category
Privilege Escalation
Content
`CreateVirtualNode`:

- Required: `Kubeconfig`, `VirtualNodeConfig`.
- This creates infrastructure and needs a cleanup plan before execution.

### VMP
Confidence
18% confidence
Finding
Kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
- `ListPreagg` returned HTTP 200 with an empty response.
- VMP metric APIs (`QueryMetrics`, `QueryMetricsRange`, `GetLabelValues`, `GetLabels`, `GetSeries`) were validated against a temporary `vmp.standard.15d` workspace with a real remote-write sample `codex_vmp_verify_value{run_id="run_20260602_1916",source="codex"} 42`. `QueryMetrics` and `QueryMetricsRange` returned value `42`; `GetLabels` returned `__name__`, `run_id`, and `source`; `GetLabelValues` returned the test `run_id`; `GetSeries` returned the complete series. The temporary workspace was deleted afterwards and `GetWorkspace` returned `ResourceNotExist`.
- Live batch stream APIs returned permission errors after valid `StartTime`/`EndTime` parameters were supplied, confirming the earlier `InvalidParam` was only parameter-shape related.
- `CreateVirtualNode` reached VKE and requires `Kubeconfig` plus `VirtualNodeConfig`. It was not executed because it needs an external Kubernetes kubeconfig and the registry does not include a matching virtual-node delete API for cleanup.
- Most domain, IoT, trademark, metrics, sec_agent, VEEN, and Flink APIs returned `AccessDenied` for the tested account. Creating dependent resources cannot bypass IAM denial; use an account with the relevant service permissions for full business-flow testing.

Implementation notes:
Confidence
18% confidence
Finding
Kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
- `ListPreagg` returned HTTP 200 with an empty response.
- VMP metric APIs (`QueryMetrics`, `QueryMetricsRange`, `GetLabelValues`, `GetLabels`, `GetSeries`) were validated against a temporary `vmp.standard.15d` workspace with a real remote-write sample `codex_vmp_verify_value{run_id="run_20260602_1916",source="codex"} 42`. `QueryMetrics` and `QueryMetricsRange` returned value `42`; `GetLabels` returned `__name__`, `run_id`, and `source`; `GetLabelValues` returned the test `run_id`; `GetSeries` returned the complete series. The temporary workspace was deleted afterwards and `GetWorkspace` returned `ResourceNotExist`.
- Live batch stream APIs returned permission errors after valid `StartTime`/`EndTime` parameters were supplied, confirming the earlier `InvalidParam` was only parameter-shape related.
- `CreateVirtualNode` reached VKE and requires `Kubeconfig` plus `VirtualNodeConfig`. It was not executed because it needs an external Kubernetes kubeconfig and the registry does not include a matching virtual-node delete API for cleanup.
- Most domain, IoT, trademark, metrics, sec_agent, VEEN, and Flink APIs returned `AccessDenied` for the tested account. Creating dependent resources cannot bypass IAM denial; use an account with the relevant service permissions for full business-flow testing.

Implementation notes:
Confidence
18% confidence
Finding
kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
| `ga` | `ListAccelerateAreas`, `ListBandwidthPackages`, `GetAcceleratorDimension`, related endpoint info APIs | `ListAccelerateAreas` returned real area metadata. Bandwidth/accelerator/dimension/endpoint-related APIs returned empty results, consistent with `ve ga ListAccelerators` and `ve ga ListPublicBandwidthPackages` showing zero resources. Resource-detail APIs need GA accelerator, bandwidth package, listener, or endpoint IDs. |
| `live` | `DescribeLiveBatchStreamTranscodeData`, `DescribeLiveBatchStreamSessionData` | Validated through signed Action/Version calls and RFC3339 time strings. `ListDomainDetail` returned no live domains; both private stats APIs returned zero totals and empty stream lists, matching current resource state. |
| `flink` | `ListGMSProject`, `ListGMCSResourcePool` | Validated with the Flink compatibility request. `ListGMCSResourcePool` returned a valid empty list; `ListGMSProject` reached Flink business logic and reported the current account is not initialized. Other GWS/GAS APIs require Flink project/resource pool/application/draft IDs and should not be called without creating those resources. |
| `vke` | `ListVirtualNodes`, `CreateVirtualNode` | `ListVirtualNodes` returned an empty list, consistent with no VKE clusters. `CreateVirtualNode` reached VKE and returned missing `VirtualNodeConfig`; real validation requires an existing Kubernetes cluster/kubeconfig and cleanup plan. |
| `CDN` | `DescribeOriginTopStatisticalData` | Request reached the service, but CDN is stopped/not opened for the account (`OperationDenied.ServiceStopped` / `NotFound.Service`). Positive validation requires CDN service activation and a CDN domain with origin traffic. |
| `mcdn` | `DescribeCdnDomainConfig` | Service is unsubscribed (`mcdn.UnsupportedOperation.ServiceUnsubscribed`). Positive validation requires MCDN activation and a CDN domain. |
| `veenedge` | `GetVEENInstanceUsage`, `GetVEEWInstanceUsage`, `GetBandwidthUsage`, `GetBillingUsageDetail` | GET request
...[truncated 25 chars]
Confidence
18% confidence
Finding
kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
# KMS Service Notes

## DescribeKeys Requires a Keyring

`DescribeKeys` requires `KeyringName` or `KeyringID`; omitting both returns `MissingParameter`.
Confidence
21% confidence
Finding
Keyring

Credential Access

High
Category
Privilege Escalation
Content
## DescribeKeys Requires a Keyring

`DescribeKeys` requires `KeyringName` or `KeyringID`; omitting both returns `MissingParameter`.

Observed in `cn-beijing`: `DescribeKeyrings` returned an existing keyring, `DescribeKeys` worked when scoped to that keyring, and `DescribeSecrets` returned `TotalCount: 0`.
Confidence
21% confidence
Finding
Keyring

Credential Access

High
Category
Privilege Escalation
Content
## DescribeKeys Requires a Keyring

`DescribeKeys` requires `KeyringName` or `KeyringID`; omitting both returns `MissingParameter`.

Observed in `cn-beijing`: `DescribeKeyrings` returned an existing keyring, `DescribeKeys` worked when scoped to that keyring, and `DescribeSecrets` returned `TotalCount: 0`.
Confidence
21% confidence
Finding
Keyring

Credential Access

High
Category
Privilege Escalation
Content
`DescribeKeys` requires `KeyringName` or `KeyringID`; omitting both returns `MissingParameter`.

Observed in `cn-beijing`: `DescribeKeyrings` returned an existing keyring, `DescribeKeys` worked when scoped to that keyring, and `DescribeSecrets` returned `TotalCount: 0`.

## Deletion Is Scheduled
Confidence
21% confidence
Finding
Keyring

Credential Access

High
Category
Privilege Escalation
Content
`DescribeKeys` requires `KeyringName` or `KeyringID`; omitting both returns `MissingParameter`.

Observed in `cn-beijing`: `DescribeKeyrings` returned an existing keyring, `DescribeKeys` worked when scoped to that keyring, and `DescribeSecrets` returned `TotalCount: 0`.

## Deletion Is Scheduled
Confidence
21% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
`DescribeKeys` requires `KeyringName` or `KeyringID`; omitting both returns `MissingParameter`.

Observed in `cn-beijing`: `DescribeKeyrings` returned an existing keyring, `DescribeKeys` worked when scoped to that keyring, and `DescribeSecrets` returned `TotalCount: 0`.

## Deletion Is Scheduled
Confidence
21% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
KMS keys and secrets are not immediate-delete resources. The current action list exposes `ScheduleKeyDeletion`, `CancelKeyDeletion`, `ScheduleSecretDeletion`, and `CancelSecretDeletion`.

Prefer read/help validation unless the test explicitly accepts scheduled deletion and follow-up cleanup tracking. Disposable tests should use a dedicated keyring name prefix.
Confidence
21% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
If explicitly approved, record every returned resource ID, use `DeleteCluster` with an explicit retention/deletion policy, and verify `ListClusters` no longer returns the test cluster. A newly created cluster can reject deletion while its status is `Creating` or addon sync is still `Progressing`; poll `ListClusters` until the cluster reaches `Running`/`Ok`, then delete.

Observed in `cn-beijing`: clusters, node pools, kubeconfigs, and addons all returned empty lists; supported addon/resource-type discovery worked.

Validation note: a no-node Flannel cluster with `Tags: [{"Key":"publish-by","Value":"deploy-skill"}]` was created in `cn-beijing`, the tag appeared in `ListClusters`, then `DeleteCluster` removed it after the cluster reached `Running`/`Ok`.
Confidence
18% confidence
Finding
kubeconfig

Session Persistence

Medium
Category
Rogue Agent
Content
1. **Default to read-only** — unless the user explicitly requests a change, execute in read-only mode
2. **DryRun first** — if a write/destructive operation supports `--DryRun true`, run a DryRun to preview the plan, then confirm before executing
3. **Confirm before executing** — show the full command for write operations and wait for approval
4. **Protect credentials** — never read `~/.volcengine/config.json`; never expose access-key, secret-key, or session-token in output

### DryRun Notes
Confidence
72% confidence
Finding
write operations and wait for approval 4. **Protect credentials** — never read `~/.volcengine

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to use shell commands, read local reference files, access environment variables, and perform networked control-plane and data-plane operations, but the file declares no explicit permissions or guardrails for those capabilities. In a database-management skill, this is dangerous because it can lead to overbroad execution and secret exposure risk, especially where API keys, service-role keys, connection info, and local env files are involved.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The 'list-migrations' action performs CREATE SCHEMA and CREATE TABLE statements before reading migration history, which means a supposedly read-only/listing operation mutates the target database. In an agent context, this can violate user expectations, alter production state, and bypass safeguards that assume listing actions are non-destructive.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is broad enough to activate on generic requests for SQL execution, API keys, endpoints, or connection information, which are sensitive database operations. In this context, that broad triggering increases the chance the skill is invoked without sufficient scoping or confirmation, potentially causing unintended secret retrieval, destructive SQL actions, or over-privileged database changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide includes a deployment example that explicitly disables JWT verification, creating a publicly callable endpoint without any nearby warning about authentication, abuse, or data exposure risks. In a database-provider skill, this is more dangerous because users may copy-paste the command for functions that interact with sensitive backend resources, leading to unauthorized invocation if the function logic is not carefully constrained.

VirusTotal

58/58 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
.opencode/plugin/volcengine-telemetry.js:32
Evidence
const child = spawn("bash", [REPORTER_SH, "--mode", "skill"], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
hooks/openclaw-skill-detect.js:53
Evidence
const child = spawn("bash", [REPORTER_SH, "--mode", "skill"], {

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/volcengine-iac/references/volcenginecc-blocked.md:602
Evidence
password = [REDACTED]

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/volcengine-iac/references/volcenginecc-redis-public-address.md:29
Evidence
export TF_VAR_redis_password='[REDACTED]'

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/volcengine-iac/references/volcenginecc-redis.md:31
Evidence
export TF_VAR_redis_password='[REDACTED]'