CloudQ

Security checks across malware telemetry and agentic risk

Overview

CloudQ appears to be a real Tencent Cloud Advisor helper, but it uses powerful cloud credentials and includes under-disclosed setup behavior that should be reviewed before installation.

Install only if you are comfortable granting Tencent Cloud credentials that may perform CAM, STS, Advisor, and tag-related operations. Use least-privilege or temporary credentials, avoid storing long-lived AK/SK values in shell profiles, review the exact policies before creating the advisor role, and avoid running the environment check or PNG conversion in sensitive environments until the unpinned npx fallback, runtime installs, and TLS fallback are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (32)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _get_version_via_npx(slug: str) -> str | None: """L3: 通过 npx 临时下载 clawhub 执行（无需全局安装，需要 Node.js）""" import subprocess result = subprocess.run( ["npx", "--yes", "clawhub@latest", "inspect", slug, "--json"], capture_output=True, text=True, timeout=60, )
Confidence: 97% confidence
Finding: result = subprocess.run( ["npx", "--yes", "clawhub@latest", "inspect", slug, "--json"], capture_output=True, text=True, timeout=60, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: from playwright.sync_api import sync_playwright except ImportError: print(" ℹ️ Playwright 未安装，尝试安装...") subprocess.run([sys.executable, '-m', 'pip', 'install', 'playwright'], check=True, capture_output=True) subprocess.run([sys.executable, '-m', 'playwright', 'install', 'chromium'], check=True, capture_output=True) from playwright.sync_api import sync_playwright
Confidence: 93% confidence
Finding: subprocess.run([sys.executable, '-m', 'pip', 'install', 'playwright'], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: except ImportError: print(" ℹ️ Playwright 未安装，尝试安装...") subprocess.run([sys.executable, '-m', 'pip', 'install', 'playwright'], check=True, capture_output=True) subprocess.run([sys.executable, '-m', 'playwright', 'install', 'chromium'], check=True, capture_output=True) from playwright.sync_api import sync_playwright with sync_playwright() as p:
Confidence: 94% confidence
Finding: subprocess.run([sys.executable, '-m', 'playwright', 'install', 'chromium'], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: from selenium.webdriver.chrome.options import Options except ImportError: print(" ℹ️ Selenium 未安装，尝试安装...") subprocess.run([sys.executable, '-m', 'pip', 'install', 'selenium'], check=True, capture_output=True) from selenium import webdriver from selenium.webdriver.chrome.options import Options
Confidence: 92% confidence
Finding: subprocess.run([sys.executable, '-m', 'pip', 'install', 'selenium'], check=True, capture_output=True)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The public description frames the skill mainly as an informational/operational cloud assistant, but the document also authorizes materially more powerful actions: writing shell profiles, persisting credentials guidance, creating/deleting IAM roles, assuming roles, generating console login URLs, and invoking plugin/report tooling. That mismatch increases the chance of users or orchestrators invoking a skill with broader side effects than expected, which is especially dangerous because it touches cloud identity and local persistence.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The role-creation documentation is internally inconsistent: one section says the role will attach only QcloudAdvisorFullAccess, while another says it will also attach QcloudTAGFullAccess and even describes broader write access. In security-sensitive IAM flows, contradictory documentation can cause operators to approve changes under false assumptions and can mask privilege expansion beyond what the user intended.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to launch local applications (`open`, `xdg-open`, `start`) as part of its fallback behavior. That exceeds passive report generation and creates a host-side action surface where a remote prompt can cause unexpected local program execution or file opening, especially in desktop environments. In this context, the behavior is only loosely related to report delivery, so the skill becomes more dangerous because a user request for a report can trigger client-side actions beyond producing content.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The skill expands its scope beyond report generation by documenting optional STS/CAM role setup and login-link generation capabilities. Those features touch authentication and privilege configuration surfaces, which are sensitive and not necessary for the core read-only reporting workflow; if used improperly, they could enable unintended access delegation or phishing-like login-link handling. The surrounding context lowers severity somewhat because the text labels them as optional, but it still broadens the trust boundary unnecessarily.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script embeds `risk_trend.get("Svg", "")` directly into the generated HTML without sanitization. If the input JSON is attacker-controlled or comes from an untrusted upstream source, malicious SVG can contain script, event handlers, external references, or abuse browser parsing quirks, leading to stored XSS when the generated report is opened.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Template names are joined directly into filesystem paths under `template/`, and later used for both reads and writes. Without validating that `template_name` stays within the intended base directory, a caller can use path traversal such as `../` to read JSON from unintended locations or write theme files outside the template area when `--save-template` is used.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: A helper meant to convert HTML to PNG should not silently install Python packages and browser binaries during execution. In this skill context, that behavior is more dangerous because agent-executed utilities may run in privileged or semi-automated environments where unauthorized package installation can alter the system and bypass operator review.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The Selenium fallback performs automatic package installation even though the script's documented role is only screenshot conversion. This hidden capability broadens the trust boundary and can lead to unexpected code retrieval and host modification, especially problematic in automated plugin environments.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This script introduces destructive local cleanup and optional cloud-side deletion behavior that is not aligned with the skill's stated ChatOps/query/advisor scope. In an agent skill context, shipping undeclared destructive capabilities increases the risk of accidental or unauthorized deletion, especially if the agent can invoke helper scripts without the user understanding the side effects.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code can delete a Tencent CAM role named 'advisor' using available credentials, which is a privileged IAM operation unrelated to the stated read/query use cases. In a skill ecosystem, hidden or weakly justified IAM mutation capability is dangerous because it can disrupt access control, break integrations, or be abused if an agent or operator runs the script in an over-privileged environment.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script performs privileged IAM/CAM write operations by creating a role, enabling console login, and attaching broad policies, while the skill metadata describes primarily informational/query functions. This capability expansion is dangerous because an agent or user invoking a seemingly read-oriented skill could unintentionally grant new access paths in the Tencent Cloud account.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script consumes Tencent Cloud access keys from environment variables and then uses them to make IAM changes. In the context of a chat assistant skill that is described as query-oriented, using ambient credentials for administrative actions increases the chance of unauthorized or surprising privilege changes if the script is invoked in an environment where credentials are already present.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script is explicitly designed to read long-lived Tencent Cloud credentials from environment variables and/or local configuration in order to mint console SSO-style login URLs. That capability materially exceeds the manifest’s stated advisory and architecture-query scope, creating a privilege-bearing access path that could be abused to obtain console access if the skill is invoked in a credentialed environment.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code performs STS GetCallerIdentity and AssumeRole operations to discover account identity and obtain temporary credentials, which are security-sensitive cloud control-plane actions. In the context of a skill advertised for informational/advisory architecture operations, this is an unnecessary expansion into privileged account access and increases the blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script generates a passwordless Tencent Cloud console login URL using temporary credentials and a signed callback, enabling direct console access. This is highly sensitive because anyone who obtains the generated URL can potentially access cloud console functionality within the session scope, which is far beyond passive advisor/query behavior described by the skill metadata.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This script creates CAM roles and attaches broad policies, which is a privileged write action not aligned with the skill's manifest emphasis on query/help operations. Even with user confirmation, embedding account-administration behavior in a chat-oriented skill increases the risk of unexpected privilege changes and policy sprawl if the skill is invoked in the wrong context.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script consumes long-lived Tencent Cloud SecretId/SecretKey credentials from environment variables to perform administrative API actions. In a skill whose stated purpose is mainly informational/chat-based, requesting and using persistent cloud credentials materially increases account takeover and misuse risk if the skill or surrounding environment is compromised.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: When certifi is unavailable, the code explicitly disables hostname verification and certificate validation before making HTTPS API calls. This enables man-in-the-middle attacks against requests carrying Tencent Cloud authentication headers and request payloads, which is especially dangerous because this skill interacts with cloud-management APIs.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad and overlap with common user intents such as asking for introductions, architecture info, risk data, and service enablement. In an agent environment, ambiguous triggers can cause unintended invocation of a skill that has access to sensitive credentials, networked cloud APIs, local config writes, and IAM-affecting operations.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The plugin trigger keywords include very broad natural-language phrases like risk analysis and report modification, which can easily match ordinary conversation. Because the plugin can fetch data, generate HTML reports, and render PNG output, loose activation increases the chance of unexpected execution paths and additional data handling without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document mandates generation of a no-password login link for console access and instructs the agent to present it to the user, but provides no user-facing warning, consent check, scope restriction, or guidance on token lifetime and sensitivity. In a ChatOps skill that may surface cloud architecture details and direct console access, this can enable unintended privileged access exposure, phishing-style link forwarding, or privacy leaks if the link is shown to the wrong user or retained in chat history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal