SurrealDB 3

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SurrealDB helper skill that uses database credentials and optional local files for its stated purpose, with no evidence of hidden or malicious behavior.

Install only if you are comfortable giving the skill SurrealDB connection details. Use scoped or read-only credentials where possible, avoid root credentials outside disposable local development, review generated SurrealQL and MCP mutations before production use, do not commit generated .env files, and disable or tightly control telemetry, pipe commands, and CDC setup in sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The audit_log example is described as append-only and admin-readable, but `FOR create FULL` allows any caller with create capability on that table context to inject arbitrary audit records. That undermines audit integrity by enabling forgery, noise injection, or misleading entries that could hide real activity during investigations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documented pipe feature explicitly allows execution of a host-side command (`curl`) from within a virtual filesystem interface, which expands the attack surface from data storage to command execution. In an AI-agent context, if untrusted prompts or tool inputs can influence that command string, this can become a command-injection or SSRF-style primitive and can also be abused to fetch malicious content into the workspace.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill uses broad, natural-language decision-tree triggers such as 'User wants to create a SurrealDB project' and similar phrases that can match ordinary conversation rather than an explicit tool invocation. In an agent environment, this can cause the skill to activate on loosely related prompts and steer the agent toward operational commands, increasing the risk of unintended database actions or unsafe guidance being applied out of context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example uses the default SurrealDB root username/password pair (`root`/`root`), which can normalize insecure practices and lead users to copy-paste privileged credentials into real environments. The brief 'local dev only' note reduces risk somewhat, but this is still dangerous in a security-focused database skill because examples are often reused verbatim and root credentials grant full database control.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The PostgreSQL trigger-based CDC setup instructions direct users to run a setup command that creates triggers and tracking tables on the source database, but they do not explicitly warn that this modifies the production source system. In an agent-skill context, terse operational commands are likely to be copied or executed directly, so omission of a modification warning can cause unintended changes to live databases, operational disruption, or policy violations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The MySQL setup section tells users to run a setup command that creates triggers and CDC tracking tables on the source database, yet it lacks an explicit warning that the source database will be altered. Because this skill is documentation intended to guide automation and operator actions, the missing warning increases the chance of accidental source-side changes in production environments.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly enables Logfire telemetry and states that filesystem operations are automatically traced, but it does not warn users that file paths, filenames, and potentially file contents or prompts may be sent to an external observability service. In an AI-agent filesystem context, this can expose sensitive workspace data, secrets, or user artifacts through telemetry without informed consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document enumerates write-capable tools such as insert, create, upsert, update, delete, and relate, but does not clearly warn that these operations can modify or permanently remove production data. In an agent-skill context, exposing destructive capabilities without an explicit caution increases the chance an LLM or operator will invoke them inappropriately against a live database.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The interactive flow offers to write SURREAL_USER and SURREAL_PASS into a .env file in the current working directory with no warning that the secrets will be stored in plaintext. This can lead to accidental credential disclosure through source control, backups, shared directories, or permissive filesystem access, especially because the prompt defaults to generating the file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal