alibabacloud-ecs-sec-inspect

Fail

Audited by Socket on Jun 23, 2026

5 alerts found:

Securityx2Anomalyx2Obfuscated File
SecurityMEDIUM
SKILL.md
SecurityMEDIUM
deploy/k8s/cronjob.yaml
AnomalyLOW
deploy/k8s/job.yaml

The manifest configures a legitimate-sounding but high-impact one-time node security scanning job. It grants deep host visibility (hostPID/hostNetwork), elevated inspection capabilities, mounts the host root filesystem, and exposes Docker/containerd runtime sockets, and it configures an HTTP reporting endpoint. While the YAML shows no explicit malicious logic, the combination creates a meaningful dual-use attack surface: if the referenced image or its config were compromised, it could collect sensitive host/runtime data and potentially report it externally or interact with the runtime. Key mitigations include pinning the image by digest/signature, enforcing strong network egress controls and TLS, minimizing capabilities, and restricting runtime socket access/RBAC for the scanner service account.

Confidence: 62%Severity: 63%
AnomalyLOW
configs/collector.yaml

This YAML is a privileged, configuration-driven host telemetry/inspection setup that reads a wide range of local system and security-sensitive artifacts (including /etc/shadow, sudoers, sshd_config, and authentication logs) and can run a systemctl command to enumerate services. The fragment contains no explicit exfiltration endpoints, credentials, or obfuscation, so direct malware is not proven from this snippet alone. The dominant risk is privacy/credential-adjacent data exposure and potential misuse depending on the consuming application’s handling and transport of collected data.

Confidence: 62%Severity: 67%
Obfuscated FileHIGH
assets-origin/ioc/manifest.json

This file is a non-executable manifest that points to base64-encoded indicator datasets. While it contains no direct malicious behavior, the inclusion of highly suspicious tags (C2/mining/webshell/backdoor/malware) and base64-encoded indicator lists makes the overall package/data set potentially dangerous and warrants review of the referenced .b64 contents and the consuming code paths to determine whether it is used defensively (IOC matching/blocking) or offensively (targeting/exploitation/infra abuse).

Confidence: 90%
Audit Metadata
Analyzed At
Jun 23, 2026, 07:09 AM
Package URL
pkg:socket/skills-sh/aliyun%2Falibabacloud-ecs-troubleshoot-skills%2Falibabacloud-ecs-sec-inspect%2F@b4d59895889e8a1694be8ffae113849a9b7730e39236ed2c7898a026fe799b48
Security Audit — socket — alibabacloud-ecs-sec-inspect