Volcengine Cli

Security checks across malware telemetry and agentic risk

Overview

This is a real Volcengine cloud-management skill, but it can make signed cloud API calls over plaintext HTTP and includes broad high-impact cloud actions that deserve review before installation.

Install only if you intend to let an agent operate a Volcengine account. Use a least-privilege test account or temporary credentials, confirm every create/modify/delete/stop action, avoid using the extension API helper for entries configured with HTTP, and review the broad extension API list before allowing it near production resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares no explicit permissions even though it is designed to use environment variables, read files, access the network, and execute shell commands. That mismatch reduces transparency and weakens policy enforcement, making it easier for a high-impact infrastructure skill to run with capabilities users or the platform may not have clearly approved.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The description says the skill manages Volcengine resources via the CLI, but the actual behavior also includes login orchestration, API discovery, Swagger retrieval, and extension-API tooling. That broader behavior expands the attack surface and can surprise users or policy engines that rely on the declared purpose to judge risk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill metadata says it is for Volcengine CLI infrastructure/resource management, but the registry includes unrelated extension APIs such as security-analysis workflows, domain/trademark operations, IoT actions, and internal/test-oriented endpoints. In an agent setting, this scope expansion increases the chance that user prompts trigger unexpected sensitive operations outside the advertised purpose, weakening least-privilege and user consent boundaries.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger instructions are broad enough to activate on generic infrastructure requests, which increases the chance the skill is invoked when the user did not clearly intend Volcengine-specific actions. In a cloud-management skill, accidental activation can expose account metadata, initiate login flows, or steer the session toward sensitive infrastructure operations.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation includes concrete `ve iam` commands that create, modify, and delete IAM users and tags against real cloud accounts, but it does not clearly warn that these are live, state-changing operations. In an agent skill context, examples are especially risky because they may be copied or operationalized automatically, leading to unintended IAM changes, audit noise, or accidental privilege-management side effects in production environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guidance explicitly recommends creating and deleting live RDS instances for lifecycle tests and notes they are billable, but it does not provide a clear safety warning, confirmation requirement, or guardrails around destructive actions and cloud spend. In a cloud-management skill, this can lead users or agents to incur unexpected charges or delete resources without sufficient caution, especially because cleanup guidance can be interpreted as operational instruction rather than a controlled test-only procedure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The registry exposes mutation-capable operations such as starting/stopping/rebooting cloud servers without any built-in confirmation, dry-run, or explicit risk acknowledgment. In an agent workflow, a prompt misunderstanding or prompt-injection-induced invocation could directly change production infrastructure availability.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The main execution path performs API calls immediately once arguments resolve, with no user-facing disclosure when the selected action is write or destructive. Because this skill is designed for cloud operations, silent execution materially increases the risk of unintended resource creation, modification, stoppage, or deletion through ambiguous prompts or agent misuse.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Multiple registered APIs are explicitly configured with 'scheme': 'http', while requests are signed with long-lived credentials and may include session tokens and sensitive request/response data. Sending authenticated cloud-management traffic over plaintext HTTP enables network attackers to observe metadata and potentially steal credentials or tamper with requests/responses, which is especially dangerous in an infrastructure-management skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal