Back to skill

Security audit

Report Sql

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only SQL templating skill with no executable code, but its SQL safety claims should be verified before use.

Install only if you need report-service SQL templating guidance. Before using these patterns with real databases, confirm that report-service actually validates types and escapes or parameterizes every substituted value, use least-privilege or read-only database accounts where possible, and review generated SQL before running it on sensitive or production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document explicitly claims the looping syntax is 'naturally immune to SQL injection' because values are safely escaped, but elsewhere it describes raw value substitution into SQL fragments such as quoted placeholders, LIKE patterns, IN lists, and block snippets without proving prepared-statement semantics. This can mislead users into trusting unsafe templating patterns and increases the chance that untrusted input reaches generated SQL in exploitable ways.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill is dedicated to generating executable SQL and asserts safety, yet it does not warn about the risks of running generated queries against production data or systems. In context, that omission is dangerous because users may apply the documented patterns to sensitive reporting databases, leading to injection, overbroad reads, or destructive query behavior if the templating engine is weaker than advertised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.