alibabacloud-ecs-code-deploy
Warn
Audited by Snyk on May 29, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime install/execution commands that fetch and run remote archives/scripts (e.g., the aliyun CLI installer URL https://aliyun-cli.oss-cn-hangzhou.aliyuncs.com/aliyun-cli-linux-latest-amd64.tgz referenced by _arch_install_cmd and the NodeSource setup script https://rpm.nodesource.com/setup_22.x which is invoked via curl | bash in the start-script templates), so these external URLs are used at runtime to retrieve and execute code.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs running install/upgrade commands that may overwrite /usr/local/bin (requiring sudo), deleting local directories (rm -rf ~/.aliyun/appmanager-venv and ./.appmanager), and modifying user shell configs (append PATH), all of which alter the host system state and can be destructive or require elevated privileges.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (3)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
W021
MEDIUMHidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
Audit Metadata