Zero TiDB(Deprecated)

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for creating temporary TiDB Cloud databases, but users should treat the generated connection details as secrets.

Install only if you want an agent to create temporary TiDB Cloud Zero databases. Review curl/mysql commands before execution, keep the saved JSON and connection string out of logs and git, use restrictive file permissions, and delete the credentials after use or expiration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs saving returned instance details, which include a plaintext password and connection string, to a local file. Although it says to store the file securely, it does not provide safe secret-handling guidance such as restricting file permissions, avoiding logs/version control, minimizing retention, or using a secret manager, which increases the chance of credential leakage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal