alibabacloud-ecs-sec-inspect

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill mandates executing system commands and embedding command outputs/evidence in reports (e.g., catting files under /root, reading system/log files) so the agent will likely read and output sensitive secrets/keys/hashes verbatim, creating a high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). This list mainly contains legitimate security/academic resources (GitHub, NIST, MITRE, arXiv, vendor blogs) but also includes several unvetted GitHub release endpoints, direct binary release URLs, OpenClaw/skill-related release APIs, raw IP/placeholders and other artifacts that are high-risk supply‑chain or C2 vectors if fetched or executed without verification—treat the release/download links and IP patterns as suspicious until their provenance and signatures are validated.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs the agent to run multiple sudo setup/install scripts that change permissions and install files into system/AI-tool directories (and includes sudo verification commands reading root-owned files), thereby requesting elevated privileges and actions that modify the machine state.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 23, 2026, 07:06 AM
Issues
4
Security Audit — snyk — alibabacloud-ecs-sec-inspect