cloud-metadata

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill explicitly instructs retrieving instance metadata credentials (TmpSecretId/TmpSecretKey/Token) and placing them into CLI commands, environment variables, or config flows, which requires the agent to output or embed secret values verbatim and thus poses high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Provides explicit, step-by-step instructions to exploit SSRF and cloud metadata endpoints to steal temporary credentials, enumerate and exfiltrate cloud resources, and perform lateral movement—clear malicious intent enabling unauthorized access and compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and references explicitly instruct fetching cloud instance metadata and user-data from third-party metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/, http://100.100.100.200/latest/meta-data/, http://metadata.tencentyun.com/latest/meta-data/ and /latest/user-data), which are untrusted/user-provided content the agent is expected to read and then use (e.g., extract credentials and drive cloud CLI actions), so third-party content can materially influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes explicit runtime install commands that wget executables from https://cosbrowser.cloud.tencent.com/software/coscli/coscli-linux-amd64 (and related coscli URLs), which fetch remote binaries and install/execute them as part of the workflow, so this is a runtime external dependency that executes remote code.