Huaweicloud Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a legitimate Huawei Cloud CLI helper, but it grants broad cloud, local profile, and command-execution authority that is not tightly scoped or enforced.

Install only if you intend to let the agent operate Huawei Cloud through hcloud. Use a least-privilege Huawei Cloud profile, avoid passing AK/SK or tokens on the command line, do not disable auth encryption or TLS verification, require explicit approval for any create/update/delete/OBS sync/share action, and review generated commands before execution.

SkillSpector (19)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to read local files, write JSON/input artifacts, and execute shell commands, but the skill metadata declares no permissions. That mismatch is a real security issue because callers and policy engines cannot accurately understand or constrain the skill's effective capabilities, increasing the chance of unintended command execution, file modification, or use in higher-risk cloud operations.

Description-Behavior Mismatch

Low

Confidence: 92% confidence
Finding: The document goes beyond passive query/help usage and includes concrete operational guidance for state-changing actions such as stopping cloud servers and constructing request bodies. In a skill explicitly positioned for query, analysis, planning, and change support, this materially increases the chance that an agent can generate and execute destructive or disruptive resource modifications without strong guardrails.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The document instructs users to supply AK/SK and SecurityToken directly on the command line, which is unsafe because command-line arguments are commonly exposed via shell history, process listings, logs, and agent traces. In an agent skill context, this can lead to credential disclosure well beyond the intended execution context and enable full compromise of cloud resources.

Context-Inappropriate Capability

Low

Confidence: 86% confidence
Finding: The document states that logging is always on and gives the log file locations, but does not bound what may be recorded or how sensitive entries are protected. In a CLI skill that handles cloud operations and possibly credentials, persistent non-disableable logs can retain command content, identifiers, endpoints, and operational metadata that may later be harvested from disk.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The examples encourage viewing configuration details and debug output in contexts where access keys, secret keys, project identifiers, and other sensitive settings may be displayed. In an agent-driven environment, such output can be captured in transcripts, telemetry, or logs, turning convenience commands into a credential exposure path.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This documentation materially expands the skill from cloud resource operations into local credential lifecycle management, profile mutation, login flows, encryption settings, and client self-administration. In an agent setting, these extra capabilities increase the attack surface because prompts can steer the agent into changing local auth state or persisting secrets rather than only operating on cloud resources.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The file includes client software update, metadata/package handling, logging, and template download capabilities that exceed the stated purpose of operating Huawei Cloud resources. These non-resource-management functions let an agent alter its own tooling state or fetch external artifacts, creating unnecessary supply-chain and persistence risk.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The integrated OBS commands provide broad file and object-storage manipulation, including upload, download, move, delete, sync, restore, and share operations against both local filesystems and cloud buckets. That is substantially broader than the declared query/analysis/planning/change scope and enables destructive or exfiltration-oriented actions if an agent is prompted to act on local paths or storage objects.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The document instructs users to set shell and OS environment variables, including proxy settings, across Linux, Windows, and PowerShell. In an agent context, exposing local environment modification steps extends the skill into host configuration management and can be abused to reroute traffic, persist sensitive values, or change execution context outside the declared cloud-operations scope.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The module docstring states that the script only inspects the local metadata cache, but the optional fallback can execute the hcloud CLI. In an agent/skill context, this mismatch is dangerous because operators or higher-level orchestration may treat the tool as read-only/local-only and permit it in contexts where spawning external commands is not expected.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Describing always-on logging without warning users that logs may contain operational or system-sensitive information creates a privacy and data handling gap. Users and downstream agents may unknowingly persist command history, resource identifiers, or troubleshooting details in local files that are accessible to other users or tools.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Telling users to enter long-lived or temporary cloud credentials directly in commands, without a clear warning, materially increases the risk of accidental credential leakage through shell history, process inspection, screenshots, CI logs, or agent memory. Because these credentials authorize cloud API calls, exposure can directly enable unauthorized access and resource takeover.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document instructs users to download and immediately execute a remote shell script via curl piped into bash-equivalent sequencing, which creates a supply-chain risk if the hosting location, network path, or script content is compromised. Although a sha256 file is mentioned elsewhere, this specific flow does not require users to verify integrity before execution and provides no meaningful warning about the trust boundary.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Dockerfile example bakes in a build step that fetches and executes a remote installation script during image build, extending the same supply-chain risk into automated/containerized workflows. In CI/CD or shared build environments this is especially dangerous because compromise of the remote script can silently poison images that are later distributed broadly.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The document advertises a mode to store authentication information in plaintext using "--cli-auth-encrypt=false" without clearly warning that access keys, tokens, or other credentials may be exposed to local users, malware, backups, or source control if the config file is copied. In a CLI skill whose purpose includes authentication troubleshooting and configuration, this can directly encourage unsafe operator behavior and increase the chance of credential compromise.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation describes a flag to skip HTTPS certificate verification and labels it only as "not recommended," which understates the risk of man-in-the-middle interception, endpoint impersonation, and tampering with API traffic. Because this skill is specifically about using the CLI for cloud operations and troubleshooting, operators may adopt the flag as a normal workaround and expose sensitive requests and credentials.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation recommends storing proxy credentials directly in environment variables, including persistent settings, without clearly warning that such values may be exposed via shell history, process listings, crash dumps, support bundles, or inherited child processes. This can leak enterprise proxy usernames and passwords and facilitate interception or lateral movement.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The file documents disabling encrypted storage for authentication data via cli-auth-encrypt=false but does not pair this with a strong warning about plaintext credentials being written to disk. In an agent or shared-host environment, that can expose long-lived AK/SK or tokens to other local users, malware, backups, or support artifacts.

External Transmission

Medium

Category: Data Exfiltration
Content: 请使用如下命令一键式安装KooCLI: curl -sSL https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/hcloud_install.sh -o ./ hcloud_install.sh && bash ./hcloud_install.sh 如上命令默认将KooCLI下载至“/usr/local/hcloud/”目录，并移动到“/usr/ local/bin/”目录下，方便在任意目录下使用hcloud命令(完成本步骤之前，请确保 PATH系统变量值中存在“/usr/local/bin/”路径)。
Confidence: 95% confidence
Finding: curl -sSL https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/hcloud_install.sh -o ./ hcloud_install.sh && bash ./hcloud_install.sh 如上命令默认将KooCLI下载至“/usr/local/hcloud/”目录，并移动到“/

Static analysis

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal