ClawHub

Volcengine Landing Zone

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Volcengine landing-zone automation, but it handles powerful cloud changes and persists sensitive credentials in local files, so it should be reviewed carefully before use.

Install only if you are comfortable letting the agent run Volcengine CLI and Terraform operations that can change billing, identity, logging, networking, and account resources. Before use, choose a dedicated workspace, confirm each phase’s account IDs and financial impact, avoid sharing the workspace, delete or move the generated password file after first login, rotate the initial administrator password immediately, and verify that any temporary CLI profiles are cleaned up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation description is broad enough to auto-trigger on many general consulting, setup, management, or design requests related to Volcengine. In context, this matters because the skill can progress into execution-oriented paths using Bash/Write, so overbroad routing increases the chance of the wrong skill taking control of a user request and steering into sensitive infrastructure workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The protocol directs the agent to copy potentially sensitive local files into a writable workspace artifact without any warning, minimization rule, or consent gate. In many agent runtimes, the workspace is more broadly accessible to tools, logs, or later steps than the original source location, so this can unnecessarily duplicate secrets such as passwords or login details and increase exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Making local file opening the default behavior can trigger unsolicited actions on the user's machine without prior consent. Even if the file is local, automatically launching HTML or other content may expose sensitive information on screen, invoke risky file associations, or surprise the user in environments where opening files has side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This phase directs the agent to establish billing relationships between accounts, which can have significant financial and governance consequences, but the warning about non-automatic cleanup appears only later in the document and there is no explicit pre-execution caution about impact, approval, or reversibility. In a cloud landing-zone setup skill, this is dangerous because an operator may trigger cost-allocation or delegated billing changes without understanding that rollback may require separate manual CLI actions and may affect multiple accounts.

Missing User Warnings

High
Confidence
98% confidence
Finding
This instruction explicitly requires taking a freshly generated administrator password and writing it inline into a markdown file on disk as the primary deliverable. That creates a plaintext credential artifact that is likely to be broadly readable, retained in backups, synced to repositories, or exposed through workspace tooling, increasing the chance of credential disclosure for a highly privileged account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs the agent to create a workspace automatically and perform real execution inside workspace copies, but it does not require a clear user-facing notice or confirmation before local files and directories are created or modified. In an agent skill, silent filesystem changes are dangerous because users may believe they are only consulting or reviewing a plan while the tool is already altering local state.

Missing User Warnings

High
Confidence
99% confidence
Finding
This section directs the agent to perform directory preparation, Terraform init, plan, and potentially apply-style execution in the background on a phase-by-phase basis, while also stating that writes should proceed continuously without prompting for each individual write. In the context of cloud landing-zone setup, these actions can create or modify real infrastructure, so insufficient user-visible authorization boundaries can lead to unintended, costly, or security-relevant cloud changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide instructs the agent to assume into another account, obtain temporary credentials, write them into a temporary profile, and later restore/delete that profile, but it does not require an explicit warning or consent flow around credential access and storage. Even temporary credentials are sensitive secrets; writing them to local profiles or configuration can expose cross-account access if logs, shell history, profile files, or the workspace are later accessed by another user or process.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to run `ve login` directly and non-interactively, which modifies local authentication state under the user's profile without an explicit consent checkpoint immediately before doing so. In an agent setting, silently changing auth context can surprise the user, overwrite or replace an existing session, and cause subsequent actions to execute under unintended credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The preflight flow authorizes automatic creation of `volcengine-landing-zone-workspace` and related runtime directories, which causes filesystem writes without an explicit warning at the point of action. While operationally convenient, silent writes can violate user expectations, create artifacts in unintended locations, or overwrite assumptions about a read-only consulting/design interaction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal