ClawHub

TEXT2SQL

Security checks across malware telemetry and agentic risk

Overview

This Text-to-SQL skill has a coherent purpose, but it under-discloses sensitive database and spreadsheet data handling that users should review before installing.

Install only if you are comfortable with database schema details, sampled values or enum lists, YAML topic files, natural-language questions, and possibly entire Excel workbooks being sent to the configured API provider. Use a read-only least-privilege database account, avoid regulated or production data, inspect and protect the generated output files, and rotate or delete any plaintext database credentials after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill performs file reads/writes and outbound network access but does not declare those capabilities as permissions. This creates a transparency and governance gap: users and hosting platforms cannot accurately assess that the skill will inspect local files, persist configuration, and contact a remote service before enabling it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond simple natural-language-to-SQL assistance: it reads live database schemas, processes Excel inputs, stores credentials locally, and sends configuration-derived data to a remote API. That mismatch is dangerous because users may authorize the skill expecting query generation only, while it can access and export broader metadata from databases and local files.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script samples live table contents, including per-column sample values and row-derived metadata, and later packages schema/data-derived information for transmission to a fixed third-party endpoint. In a Text-to-SQL helper, this creates unnecessary exposure of potentially sensitive database contents and metadata beyond the minimum needed for local query generation.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
In Excel mode, the code uploads the entire user-supplied file to a remote service rather than extracting only the minimum local metadata required. This can disclose all spreadsheet contents, including secrets, personal data, or proprietary business information, to an external party without clear necessity or user warning.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script performs unsolicited network transmission of database-derived metadata or local file contents to a hard-coded external endpoint. Hard-coded exfiltration paths are especially risky in agent skills because users may reasonably expect local database inspection, not remote data export.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger description is broad enough to activate on common support or configuration requests, increasing the chance the skill is invoked in contexts where users did not intend database access, file processing, or remote API use. Overbroad activation raises the risk of unnecessary collection of credentials, schema metadata, or question content.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill's trigger conditions are ambiguous and do not define precise boundaries for when it should run. In a skill that can read database structures, write config files, and call external services, ambiguous triggering materially increases the chance of unintended sensitive actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to provide database passwords and states that credentials are saved locally, but it does not provide a clear privacy/security warning, storage protections, or secret-handling guidance. Storing database credentials in local config files can lead to credential theft, lateral movement, or unauthorized database access if the file system is exposed.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill sends user questions and a YAML configuration file to an external API endpoint without a clear warning that user data and database-derived metadata leave the local environment. Even if the endpoint uses HTTPS, undisclosed external transmission can expose sensitive business semantics, schema details, and potentially regulated information to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persists the database password directly into a JSON file in plaintext, which exposes credentials to any local user, process, backup system, or accidental source-control commit that can access that file. In the context of a text-to-SQL skill, those credentials may grant broad read or write access to application data, making credential disclosure materially dangerous even though the issue is local rather than remote by itself.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads the entire local YAML configuration file and sends it together with the user's natural-language question to a remote API endpoint. Even though this appears necessary for the text-to-SQL feature, there is no explicit consent, warning, redaction, or restriction on what may be exfiltrated, so sensitive schema details, business logic, credentials mistakenly stored in config, or confidential user questions could be disclosed to an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes database schema details and sampled row values into local JSON artifacts without any privacy warning, minimization, or controls on output sensitivity. These files can persist sensitive metadata or sample contents on disk where other users, processes, backups, or logs may later access them.

Missing User Warnings

High
Confidence
99% confidence
Finding
Database schema information, enriched with comments and potentially value lists derived from data, is sent to an external API without a clear privacy notice or informed consent. Even when not sending full rows, schema names, comments, and enumerated values can reveal sensitive business logic, tenant identifiers, or regulated categories of data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal