ClawHub

SQL Query Generator

Security checks across malware telemetry and agentic risk

Overview

This is a useful SQL helper, but it overstates its safety while including unsafe query-building patterns and default local audit logging that users should review before installing.

Install only if you treat it as a draft SQL-generation aid, not a security guarantee. Review every generated query, avoid user-controlled raw WHERE/JOIN/HAVING strings, use least-privilege or read-only database roles by default, require explicit confirmation for writes or DDL, and disable or protect audit logs unless you have a retention and access-control plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises query generation but embeds code and instructions for network-capable live database connectivity without any declared permission boundary. In agent environments, this hidden operational capability can let a supposedly offline helper initiate external connections and interact with real databases, expanding the attack surface beyond user expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description frames the skill as a secure SQL query generator, but the documented behavior includes broader capabilities such as DML, DDL, and natural-language parsing into actionable database operations. This mismatch is risky because consumers may authorize a low-risk assistant skill while it can generate destructive or schema-altering statements that exceed expected scope.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document makes absolute security claims such as 'military-grade security', '100% detection rate', '100% enforcement', and broad compliance assertions without providing verifiable evidence in the file. In a security-focused skill, this can mislead users and integrators into overtrusting the system, causing them to relax independent validation, monitoring, or defense-in-depth assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to generate SQL, but the documented code goes further by creating live database connections and executing SQL statements. That changes the skill from advisory tooling into an operational database client, enabling unintended data access or modification if an agent follows the examples automatically.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The audit-focused generator also includes local filesystem logging behavior, which is an undeclared side effect beyond pure query generation. In agent deployments, writing query metadata to local logs can expose sensitive operational details, user identifiers, IP addresses, or query structure to unintended readers.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Writing audit logs to /var/log/sql_audit.log is not necessary for a query-generation skill and introduces local data persistence of potentially sensitive metadata. If deployed in shared or misconfigured environments, these logs may leak user IDs, IP addresses, query patterns, or operational context.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Creating live database connections exceeds the stated purpose of SQL generation and grants the skill real operational reach into database infrastructure. In an agent setting, this can enable unauthorized data retrieval, state changes, or interaction with production systems under the guise of merely generating queries.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The prepared statement pool actively prepares and executes SQL on a live connection, which is materially different from generating safe query text. This broadens the skill into direct database interaction and could let an agent perform real queries or mutations if integrated without strict execution controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is advertised as a SQL query generator, but it also includes instructions and sample code for establishing live database connections and executing queries/prepared statements. In an agent setting, this expands the capability boundary from offline query construction to direct data access and mutation, which can enable unintended database interaction if a host blindly trusts the skill’s stated scope.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented audit logger writes query-related metadata to /var/log/sql_audit.log, but this persistent file-write behavior is not disclosed in the manifest. Undeclared file output is risky in agent environments because it can leak sensitive operational metadata, violate least surprise, and bypass policy decisions that rely on manifest-declared capabilities.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Live database connection management is not necessary for a skill whose stated purpose is generating SQL queries. Including connection code increases the attack surface by normalizing credential handling, outbound connections, and session-level SQL execution in a context where consumers may expect no side effects beyond text generation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Prepared statement pooling here goes beyond describing parameterized SQL and provides execution primitives that issue PREPARE and EXECUTE commands against a live connection. That makes the skill operational rather than advisory, creating risk of unintended query execution or misuse by agents that ingest the documentation as runnable guidance.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module advertises SQL injection prevention, but generate_select_query directly interpolates join['on'], where_conditions, and having into the SQL string without validation or parameter binding. In a skill whose purpose is generating "secure SQL queries," this mismatch is especially dangerous because callers may trust the API and pass attacker-controlled fragments, leading to arbitrary predicate manipulation or broader query injection.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The audit logger writes query metadata, user IDs, IP addresses, and event details to a local file and optionally the console, with no visible consent, minimization, retention, or access-control safeguards in this module. Even though queries are partially sanitized, these logs can still expose sensitive business activity, identifiers, and security events, creating privacy and secondary data leakage risk if logs are accessed by unauthorized users.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal