ClawHub

Volcengine Troubleshooting

Security checks across malware telemetry and agentic risk

Overview

This VolcEngine troubleshooting skill is mostly transparent, but it needs review because some references treat fetching live secrets, API keys, or tokens as normal diagnostic evidence.

Install only if you are comfortable with a troubleshooting assistant using VolcEngine credentials. Use a least-privilege, temporary account where possible, do not grant secret-value or token-minting permissions unless explicitly needed, and require manual approval before any command that could reveal API keys, role credentials, workload tokens, SecretValue, user data, or full console output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document frames the allowed action set as read-only and diagnostic, but the matrix elsewhere includes operations that can return credentials or mint access tokens. That mismatch weakens operator safeguards and can cause an agent to treat sensitive credential-retrieval APIs as safe troubleshooting steps, increasing the chance of secret exposure or privilege misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section classifies credential and token retrieval capabilities such as GetResourceApiKey, GetResourceOauth2Token, GetRoleCredentials, and GetUserCredential as normal troubleshooting evidence. In a troubleshooting skill, these APIs enable direct access to live secrets or usable credentials that could be exfiltrated, replayed, or abused for lateral movement far beyond diagnosis.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Treating workload access token issuance APIs as ordinary read-only evidence is dangerous because token issuance is an active credential-generation step, not passive inspection. If invoked by an agent, it can create fresh bearer tokens for workloads or identities, enabling immediate unauthorized access to downstream services and making the troubleshooting skill a credential broker.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file states that only read-only or diagnostic actions are eligible for troubleshooting, yet it explicitly permits actions that return API keys, role credentials, OAuth2 tokens, and workload access tokens. Those operations may be read-only from an API semantics perspective, but they are highly sensitive secret-retrieval capabilities and can enable lateral movement or privilege misuse if an agent executes them during routine troubleshooting.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section broadens a troubleshooting skill into identity and access operations that include checking API keys, listing credential providers, and retrieving role credentials or access tokens. In the context of a support/troubleshooting skill, that scope is unnecessarily expansive and creates a pathway for secret discovery and privilege escalation beyond diagnosing service errors.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The listed actions include direct retrieval of sensitive material such as resource API keys, OAuth2 tokens, role credentials, user credentials, and workload access tokens. In a troubleshooting skill, these are context-inappropriate because the agent could expose or misuse live secrets, turning a diagnostic workflow into credential exfiltration or unauthorized access across services.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This matrix explicitly includes `BatchGetSecretValue` and `GetSecretValue` as normal troubleshooting evidence for a broadly scoped VolcEngine troubleshooting skill. Secret-value retrieval goes beyond diagnostics into access to protected plaintext material, creating a data-exposure path if the agent is allowed to execute or recommend these actions by default.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The KMS section lists `BatchGetSecretValue` and `GetSecretValue` among approved read/diagnostic actions, normalizing direct access to secret contents within a troubleshooting skill. In this context, 'read-only' is misleading because retrieving plaintext secrets can immediately expose credentials, tokens, or sensitive application data.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The file's review criteria define broad 'read-only or diagnostic' actions as eligible, but the included KMS secret retrieval APIs make that policy unsafe because plaintext secret access is not justified by ordinary local troubleshooting. This mismatch widens the skill's operational scope and can lead an agent to treat secret extraction as routine evidence collection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs operators to retrieve user data and console output, both of which commonly contain secrets such as bootstrap tokens, API keys, passwords, instance metadata-derived credentials, and internal configuration details. Because the document provides no warning, masking guidance, or handling precautions, it increases the likelihood that sensitive data will be exposed in terminals, logs, tickets, or shared troubleshooting artifacts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing entry is triggered by very broad symptom phrases like '加密失败' or '有安全告警', which can match many ordinary support situations without first establishing product, scope, or authorization boundaries. In an agent setting, this increases the chance of misrouting users into a security-focused troubleshooting flow that may prompt for sensitive identifiers or produce over-privileged diagnostic guidance before sufficient context is established.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal