Aliyun Drive Uploader

Security checks across malware telemetry and agentic risk

Overview

This cloud-drive skill appears purpose-aligned, but it has under-disclosed destructive file deletion and sensitive token-handling behavior that users should review before installing.

Install only if you are comfortable granting this skill access to your Aliyun Drive files. Treat its .env file as sensitive, do not commit it, restrict file permissions, and confirm exact file IDs before any delete action. Prefer a version that clearly documents delete/download behavior, asks before destructive operations, and avoids passing refresh tokens through command-line arguments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill description says it supports upload, folder creation, search, and share-link management, but the code also exposes file deletion. Undisclosed destructive capability is dangerous because users or orchestrating agents may invoke the skill under incomplete assumptions, increasing the chance of unintended data loss.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The code exposes download URL retrieval, but this capability is not stated in the skill description. Hidden capability can bypass user expectations and may leak direct-access links to stored content, especially if an agent assumes the tool only uploads or manages metadata.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Automatically persisting refreshed credentials back into `.env` changes sensitive local state and may expose tokens to other tools, users, backups, or source control if the file is not protected. Because this behavior is only mentioned in implementation notes and not clearly warned about as a security-sensitive side effect, users may unknowingly allow credential material to be rewritten and retained on disk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill exposes a delete action for cloud files without any warning, confirmation guidance, or discussion of irreversibility. In a file-management skill, destructive actions are contextually expected, but omitting safety messaging increases the risk of accidental or unauthorized deletion of user data.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The delete action performs a destructive operation with no visible confirmation, safeguard, or soft-delete check in this file. In an agent setting, accidental or prompt-induced invocation could delete user files immediately, increasing the chance of unintended data loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: A sensitive refresh token is read from .env and then forwarded on the command line to a subprocess. Command-line arguments can be exposed via process listings, logs, crash reports, or monitoring tools, which can leak long-lived credentials that grant access to the user’s cloud storage.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The function sends the user's refresh token to a remote authentication endpoint without any user-facing disclosure or consent flow. Even though the endpoint appears to be the vendor auth API, refresh tokens are highly sensitive credentials and transmitting them without clear notice can violate user expectations and increase credential-handling risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script rewrites a token file in place whenever --save-token is provided, with no confirmation, backup, or path restriction. This can silently overwrite credentials or other sensitive configuration if the path is wrong or attacker-controlled, causing account disruption or credential corruption.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The delete action executes immediately once a file_id is supplied, with no confirmation, preview, or recycle-bin verification. In an agent context, this is risky because destructive actions may be triggered by misunderstanding, prompt injection, or stale identifiers, leading to irreversible data loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal