Back to skill

Security audit

TEXT2SQL

Security checks across malware telemetry and agentic risk

Overview

This text-to-SQL skill may be useful, but it handles database credentials and sends database or spreadsheet contents to asksql.ai in ways that are not clearly disclosed or tightly scoped.

Install only if you are comfortable with asksql.ai receiving your natural-language questions, topic YAML, database metadata, sampled data values, and full Excel files. Avoid production databases or sensitive spreadsheets unless you first remove plaintext credential storage, mask database URLs, disable sampling and Excel uploads by default, and add explicit consent before any remote call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill performs file reads/writes and outbound network access but does not declare those capabilities as permissions. This undermines transparency and consent, especially because the workflow stores local configuration files and sends data to an external API. In a security-sensitive agent environment, hidden capabilities materially increase risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill's stated purpose sounds like benign SQL generation, but the documented behavior includes collecting and storing database credentials, reading broad schema and sample data, issuing DISTINCT queries, and sending configuration-derived data to an external service. That mismatch is dangerous because users may authorize a much more invasive workflow than they realize, enabling credential exposure and unintended data exfiltration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script transmits database-derived metadata to https://asksql.ai/ for knowledge generation, which exceeds a local schema-reading function and creates an external data exfiltration path. In context, the script also samples table values earlier and stores them in the same in-memory structures, making it plausible that sensitive column names, comments, enum candidates, and potentially representative values are disclosed to a third party without an explicit consent gate.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This code does more than inspect schema: it runs SELECT queries against every table, collects sample values, computes uniqueness information, and persists that information into output JSON. Even if intended for profiling, this behavior can capture sensitive business data or personal data and expands exposure far beyond what users would expect from a 'table reader' script.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
In Excel mode, the script uploads the provided file directly to a third-party service. Because Excel files may contain confidential data, formulas, or regulated information, this creates a clear external disclosure risk that is not necessary for simply reading table-like structure from a local file.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The function documentation implies that providing an Excel file will bypass database-related behavior, but the function still proceeds into shared network-based knowledge generation logic. This mismatch is dangerous because operators may rely on the docstring to assume a local-only path, while the implementation still performs external transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes use of an external HTTP API but does not clearly warn that user questions and configuration files are transmitted off-box. This creates a data handling and consent problem, particularly because configuration files may contain schema metadata or other sensitive business context that users may not expect to leave their environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to collect database credentials and save them locally, but it does not prominently warn users that secrets will be persisted in a local configuration file. Silent local storage of credentials is dangerous because it expands secret exposure to other local users, backups, logs, and later processes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script persists the database password in plaintext JSON on local disk, which creates a credential exposure risk if the file is read by other local users, included in backups, collected by logs/support bundles, or accidentally committed to source control. In a text-to-SQL skill, these credentials likely grant direct database access, so compromise of the config file can lead to unauthorized access to sensitive data and downstream system abuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends both the user's natural-language question and the full YAML configuration file to an external service over the network, which can expose sensitive schema details, business logic, credentials mistakenly stored in config, or proprietary metadata. In a text-to-SQL skill, configuration files often describe database structure and data topics, so transmitting them off-box materially increases confidentiality and compliance risk, especially because the default endpoint is a third-party domain and the script provides no consent, minimization, or redaction controls.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the database URL and later writes db_url into output JSON, which can expose embedded usernames, passwords, hostnames, and other connection details in logs and files. These credentials can be harvested from terminal history, CI logs, shared artifacts, or output directories and used for direct database compromise.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script extracts sample table data and incorporates it into structures later used for remote knowledge generation, without any explicit warning, review step, or data minimization boundary. In a text-to-SQL skill, database contents are especially likely to include proprietary or personal information, so even small samples can be highly sensitive.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code uploads the full Excel file to an external API without an explicit warning or authorization checkpoint. Because spreadsheets often contain sensitive operational and customer data, this creates a significant confidentiality risk that is disproportionate to the stated reader functionality.

Ssd 3

Medium
Confidence
99% confidence
Finding
The skill directs the agent to gather a database URL and password and persist them to a local JSON file. Storing credentials in plaintext or broadly accessible local files is a common secret-management flaw that can lead to compromise of the underlying database if the host, workspace, or artifacts are exposed.

Ssd 3

Medium
Confidence
99% confidence
Finding
The repeated instruction to obtain and save database URL/password increases the likelihood that an agent will normalize collecting and persisting sensitive credentials as part of routine interaction. Repetition in workflow guidance makes accidental over-collection and insecure handling more likely, especially in automated or semi-automated deployments.

Ssd 3

Medium
Confidence
98% confidence
Finding
The notes explicitly confirm that database URL and password are saved in a local output configuration file. That codifies insecure secret persistence as intended behavior, increasing the chance of credential leakage through filesystem access, backups, repository mistakes, or artifact collection.

External Transmission

Medium
Category
Data Exfiltration
Content
"db_name": db_name
                }
                # print(column_info)
                response = requests.post(
                    generate_url,
                    json={"data": column_info, "format": "json"},
                    timeout=120
Confidence
87% confidence
Finding
requests.post( generate_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.