huawei-cloud-cci-instance-management
Warn
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/cci_network_helper.pycontains a potential command injection vulnerability due to unsafe shell command construction. - Evidence: The script constructs a command string using f-string interpolation of the
regionvariable:cmd = f"hcloud IAM KeystoneListProjects --cli-region={region} --cli-output=json". - Evidence: This command is then executed via
subprocess.run(cmd, ..., shell=True)in theget_project_idfunction. - Risk: If the input to the
--regionargument is not strictly validated, an attacker could inject shell metacharacters to execute arbitrary commands on the system. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and processing untrusted data from the cloud environment.
- Ingestion points: The skill retrieves container logs using
hcloud CCI readCoreV1NamespacedPodLogand lists resource events usinghcloud CCI listCoreV1NamespacedEvent. - Boundary markers: There are no explicit boundary markers or instructions to the agent to ignore or sanitize instructions found within these logs or event messages.
- Capability inventory: The skill has high-privilege capabilities including creating and deleting namespaces, networks, and workloads (Deployments, Pods).
- Sanitization: No sanitization is performed on the output of log or event queries before they are processed by the agent, allowing malicious content in logs to potentially influence the agent's logic.
Audit Metadata