ClawHub
Back to skill

Security audit

Byted Acep Api

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate cloud-phone administration skill, but it can spend money, delete cloud resources or data, and run remote root commands without built-in safety confirmations.

Install only if you intend to let the agent administer Volcano Cloud Phone resources. Use tightly scoped Volcengine credentials for test or non-production resources where possible, review every create/delete/reset/subscribe/unsubscribe/run-command action before it runs, and avoid exposing signed URLs, access keys, proxy passwords, or downloaded device data in chat output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes powerful capabilities through a local Python CLI that can read/write files, access environment-backed credentials, and make network/API calls, yet it declares no permissions or trust boundaries. In this context, the skill can perform sensitive cloud resource operations and potentially access local secrets or transfer data without any explicit permission model, increasing the risk of unintended destructive actions or data exposure.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
This module includes remote state-changing functionality that updates product storage resources, which goes beyond a narrow read-only troubleshooting surface. In an agent skill context, capability drift matters because users or higher-level agents may invoke actions assuming the tool is primarily informational, leading to unintended cost-incurring or operational changes.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The skill exposes automated subscribe, renew, and unsubscribe operations for cloud resources, which materially expands its authority beyond simple querying or troubleshooting. In this cloud-management context, that increases risk of unauthorized provisioning, renewal, or deletion of resources, potentially causing financial impact and service disruption if an agent misuses the skill or is prompted ambiguously.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The client exposes a very broad administrative API surface, including creation, deletion, image, host, network, and resource-management operations that go well beyond a narrowly scoped troubleshooting tool for authorized test cloud phone instances. This violates least privilege at the skill layer: if an upstream agent or prompt is abused, the code enables materially more powerful actions than the skill description implies.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can subscribe, renew, unsubscribe, and resize underlying cloud resources, which enables billing-impacting and infrastructure-changing operations unrelated to routine instance troubleshooting. In an agent context, this creates a powerful abuse path for unauthorized provisioning, spend escalation, and service disruption if the skill is prompted or integrated incorrectly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Image listing, creation, update, deletion, and build workflows substantially expand the blast radius of the skill beyond instance operations into software supply-chain and golden-image management. Abuse of these methods could introduce malicious images, alter trusted baselines, or disrupt downstream deployments.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill includes methods to alter proxies, DNS, routes, and port-mapping-related controls, giving it network control-plane influence beyond the stated purpose. These capabilities can be exploited to redirect traffic, bypass policy, expose services, or degrade connectivity across managed instances.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reset-host command performs a potentially destructive operation immediately based on CLI arguments, and the parser exposes only a --force flag for API behavior rather than a local safety confirmation. In an operational cloud-management skill, this increases the risk of accidental service disruption or data loss from mistyped IDs, automation mistakes, or unintended invocation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The CLI exposes a destructive operation that deletes AOSP images immediately from user-supplied IDs, with no visible confirmation prompt, dry-run mode, or safety interlock in this command layer. In a resource-management skill that operates on authorized cloud phone assets, this increases the chance of accidental or scripted deletion of important images, causing service disruption or loss of recoverable configuration artifacts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete-pod command performs a destructive resource deletion immediately and this file shows no interactive confirmation, dry-run option, or prominent warning. In an operations CLI managing cloud phone instances, accidental invocation, scripting mistakes, or parameter mixups can cause unintended loss of infrastructure and associated data.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The reset operation is potentially destructive or service-disruptive, but the command executes directly without any user-facing warning or confirmation in this file. In this skill's context, it can interrupt active testing sessions or revert device state unexpectedly, increasing the chance of operator-caused damage.

Missing User Warnings

High
Confidence
94% confidence
Finding
This command deletes user data based on file paths and package lists without any explicit confirmation or strong warning. Because it targets filesystem paths and application data on cloud phone instances, mistakes or misuse can irreversibly remove important test artifacts, app state, or user content at scale.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete-backup-data command irreversibly removes backup data with no confirmation prompt or warning shown in this file. Since backups are a recovery control, accidental deletion can magnify the impact of other failures by removing the ability to restore lost data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Subscription and renewal commands trigger remote, billable state changes without any visible user confirmation, dry-run mode, or warning in this file. In an agent-operated CLI, the absence of friction increases the chance of accidental purchases or renewals from ambiguous prompts, operator mistakes, or chained tool misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The unsubscription command performs a destructive remote operation and supports a force option, yet this file provides no extra confirmation barrier beyond the command name. In a cloud resource management skill, accidental or unauthorized unsubscription can immediately disrupt service availability and may be hard to reverse quickly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The client exposes pod deletion directly with no built-in confirmation, warning, or safeguard. In an agent-driven workflow, a mistaken instruction, prompt injection, or misunderstood user request could permanently remove instances or associated work without friction.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Remote file deletion is exposed as a normal method without any built-in disclosure or confirmation despite being destructive. This increases the risk of accidental or induced data loss on managed devices when the skill is operated through an autonomous or semi-autonomous agent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The pull operation writes arbitrary remote content to a local filesystem path without user-facing warning, path restrictions, or safer staging behavior. In an agent environment, this can enable unwanted local file creation or overwrite, especially if output paths are influenced by prompts or external input.

Missing User Warnings

High
Confidence
97% confidence
Finding
The client provides direct remote command execution on cloud phones with no built-in safety messaging, command restrictions, or confirmation workflow. This is highly sensitive because an agent can be induced to run arbitrary commands affecting data, configuration, persistence, or lateral activity on managed devices.

Missing User Warnings

High
Confidence
97% confidence
Finding
The synchronous command path is especially risky because it silently falls back from edge execution to the OpenAPI path, preserving command execution even when the preferred mechanism fails. That hidden fallback reduces operator awareness and increases the chance that dangerous commands still run under error conditions or unexpected routing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal