ClawHub

Xby Db

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks for credentials and sends database operations to a third-party API while its database-service identity and safeguards are inconsistently documented.

Only install this if you are comfortable using Xiaobenyang as a remote intermediary for database metadata, SQL, and connection details. Use a limited-scope API key and database account, avoid production or write-capable credentials unless necessary, and do not rely on the claimed validation/audit controls unless the publisher documents where they are enforced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documentation is internally inconsistent: it presents a database service, but the workflow requires an external API key and even references unrelated school-search functions. Such contradictions are a strong indicator that the skill may route user data to an unintended backend or that the instructions were copied from another skill, undermining confidence in safe handling of database queries and secrets.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The architecture section says the code only calls APIs, which conflicts with the claim that the skill itself provides database security features such as validation, auditing, and control. This can mislead users into believing protections exist locally when they may instead be absent or entirely delegated to an external service.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The configuration clearly targets an unrelated external service ('小笨羊高考') instead of the declared database access service. This kind of service-identity mismatch is dangerous because it can cause operators or users to supply credentials and send data to an unexpected third-party endpoint, undermining trust boundaries and potentially enabling covert data exfiltration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This module persists and exposes credentials for an unrelated external API even though the skill is presented as a database access service. In this context, storing a third-party API key expands the attack surface and creates a path for accidental credential collection, misuse, or unexpected outbound access unrelated to the stated function.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring identifies the module as configuration for a different skill, contradicting the declared database service identity. While not exploitable on its own, this inconsistency is a meaningful security concern because it signals code reuse or repurposing that can hide undeclared network behavior, secret usage, or supply-chain tampering.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes write-capable SQL execution, including INSERT/UPDATE/DELETE and possibly DDL, without an explicit user-facing warning about data modification risk or guidance for confirmation before destructive actions. In a database-access context, that omission materially increases the risk of accidental or unauthorized data changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The EXPLAIN tool documentation omits that EXPLAIN ANALYZE executes the query, which can trigger side effects for non-SELECT statements or impose significant performance load. In a database tool, failing to warn users about actual execution can lead to unintended writes, locks, or production impact.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function writes API keys directly to a local .env file without any confirmation, warning, or security control. Persisting secrets this way can leave credentials exposed through backups, source-control mistakes, shared workspaces, or local file disclosure, especially in agent or multi-user environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal