huawei-pentesting
Fail
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a large number of shell commands to automate interactions with Huawei Cloud via specialized CLI tools (openstack, obsutil) and direct REST API calls using curl.
- [DATA_EXFILTRATION]: It contains instructions for exfiltrating sensitive data, including harvesting credentials and configuration from the internal cloud metadata service (169.254.169.254), downloading private files from object storage buckets, and exporting database backups via API.
- [REMOTE_CODE_EXECUTION]: The skill documents methods for achieving code execution on target infrastructure, such as creating privileged containers to escape to the host node and injecting code into serverless functions (FunctionGraph).
- [EXTERNAL_DOWNLOADS]: It encourages the installation of third-party Python packages and binary tools from public registries to interact with cloud APIs, including the OpenStack client and Huawei Cloud SDKs.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection by ingesting untrusted data from cloud logs, metadata, and object storage. 1. Ingestion points: Cloud metadata service (SKILL.md), OBS buckets (compute-storage-attacks.md), and LTS logs (platform-services-attacks.md). 2. Boundary markers: No delimiters or explicit warnings are used to separate external data from agent instructions. 3. Capability inventory: Extensive capabilities including shell access and network requests are available to the agent for processing this data. 4. Sanitization: No validation or sanitization of the data retrieved from external cloud services is implemented.
Recommendations
- HIGH: Downloads and executes remote code from: http://169.254.169.254/openstack/latest/meta_data.json - DO NOT USE without thorough review
Audit Metadata