Get Ali Searches

Security checks across malware telemetry and agentic risk

Overview

This is a narrow, instruction-only skill for getting Alibaba Cloud related search terms, with no bundled code or hidden behavior found.

Before installing, confirm which MCP server receives the robotId and whether that server is trusted. Treat the robotId as potentially sensitive unless your Alibaba Cloud/RPA setup confirms it is only a non-secret identifier.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation requires a credential-like identifier (`robotId`, explicitly tied to `ALIYUN_RPA_RobotId`) but provides no warning about sensitivity, storage, logging, or sharing risks. Even if `robotId` is not a full secret by itself, exposing operational identifiers in prompts, logs, or transcripts can enable unauthorized use, account correlation, or follow-on attacks in integrated systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal