Back to skill

Security audit

阿里云SLS日志查询

Security checks across malware telemetry and agentic risk

Overview

This is a documented Aliyun SLS log-query skill that requires cloud credentials, with no hidden code, exfiltration, or destructive behavior found.

Install only if you trust the Aliyun CLI setup and need an agent to query SLS logs. Use a least-privilege RAM user or temporary STS credentials, avoid pasting long-lived AccessKey secrets into generated commands, restrict Project/Logstore/time range/query values, and treat returned log text as untrusted data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly supports passing long-lived AccessKey credentials on the command line and storing them in local config files, which increases exposure beyond a narrowly scoped log-query action. Command-line secrets can leak via shell history, process listings, logs, screenshots, and agent traces, and local plaintext-style credential configuration broadens the blast radius if the host or workspace is compromised.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.