Back to skill

Security audit

PostgreSQL Database

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate PostgreSQL administration skill, but it gives an agent broad database credential and raw SQL authority without built-in safety limits.

Install only if you intentionally want an agent to operate PostgreSQL. Use a least-privileged or read-only database user by default, keep .env and ~/.pgpass private, run scripts only from trusted directories, and manually approve any UPDATE, DELETE, DDL, restore, bulk export, or backup-retention action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Credential Access

High
Category
Privilege Escalation
Content
set -e

# 加载环境变量
if [ -f .env ]; then
    source .env
fi
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# 加载环境变量
if [ -f .env ]; then
    source .env
fi

# 默认值
Confidence
93% confidence
Finding
.env

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.