Volcengine Vefaas

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate veFaaS deployment helper, but it repeatedly encourages non-interactive cloud changes and direct secret handling without enough safety guidance.

Install only if you understand it can install a global CLI, use Volcengine credentials, upload project code/artifacts, create or change cloud resources, expose services, and read or modify runtime environment variables. Prefer SSO or managed CI secrets, avoid pasting long-lived AK/SK values into chat or shell history, verify the target app/region/gateway before any --yes command, review .vefaasignore and env files before deploy, and redact debug logs before sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (12)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill promotes `vefaas deploy ... --yes` for non-interactive use without warning that it can immediately create or modify cloud resources. In an AI-agent context, this increases the chance of unintended deployments, cost-incurring actions, or changes to production infrastructure without explicit user confirmation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented `vefaas login --accessKey <AK> --secretKey <SK>` command encourages direct use of long-lived credentials without guidance on secure handling. In agent workflows, this can lead to secrets being pasted into prompts, shell history, logs, or debug output, creating a substantial credential exposure risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The `vefaas env set KEY VALUE` command can modify sensitive runtime configuration, including secrets, feature flags, or production behavior, yet the skill provides no warning. In a deployment-oriented skill, this makes accidental secret overwrites or insecure secret storage more likely.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation instructs users to store long-lived credentials in `~/.vefaas/auth.json` and export secrets as environment variables, but it does not warn that these values are highly sensitive or describe safe handling practices. In a deployment/CI context, this can lead to credential leakage through shell history, process listings, misconfigured file permissions, logs, or shared build environments, which could permit unauthorized access to veFaaS resources.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cookbook includes plaintext examples for setting and importing secrets such as database passwords and API keys without any warning about secret handling, shell history exposure, repository leakage, or accidental upload of `.env` files. In a deployment skill, this is materially risky because users are likely to copy these commands directly into real environments, potentially exposing production credentials.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cookbook documents listing, getting, setting, and importing environment variables, including examples that reveal secret-like values such as DATABASE_URL and API_KEY, but provides no warning that these values may contain credentials or that terminal output, shell history, and shared files can expose them. In a deployment-management skill, this is dangerous because users are being guided to handle live cloud secrets directly and could inadvertently disclose or overwrite production credentials.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The examples use `--yes` for deploy and push against existing functions without warning that these commands can modify live cloud resources non-interactively, bypassing a safety confirmation step. In the context of a skill specifically for managing veFaaS functions, this increases the chance of accidental production changes, unintended code rollout, or overwriting a function with the wrong target.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The quickstart shows passing access keys on the command line and exporting long-lived credentials as environment variables without any safety guidance. Command-line secrets can leak through shell history, process listings, CI logs, and shared terminal recordings, which is especially risky in a deployment-focused skill where users are likely to copy-paste commands into real environments.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The deployment example uses `--yes` to bypass confirmation while creating and deploying cloud resources, but provides no warning about resource creation, external exposure, or possible costs. In a quickstart for serverless deployment, users may run the command verbatim, causing unintended infrastructure changes or billable resources to be created without review.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly shows commands that list and retrieve environment variables, including examples containing database URLs, API keys, and passwords, without warning that these actions can expose secrets in terminal history, logs, screen shares, or copied output. In an agent skill context, this is more dangerous because an automation agent may execute these commands and echo secret values back to the user or into persistent logs.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The build-environment section states that Node.js builds run locally and artifacts are uploaded, while Python code is uploaded for remote dependency installation, but it does not warn users about the trust boundary change. This can lead users to unintentionally upload sensitive files, build outputs, or proprietary code, and to assume local-only behavior when remote processing actually occurs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guidance explicitly instructs users to collect and share debug logs and notes that logs contain full JSON response data, but it does not warn that these logs may include sensitive request details, environment variables, tokens, identifiers, or other operational secrets. In a deployment/authentication CLI context, encouraging broad log sharing materially increases the risk of credential or configuration leakage during support interactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal