Security audit

sql-linker-cli

Security checks across malware telemetry and agentic risk

Overview

This database skill is mostly disclosed, but its credential and SQL controls are inconsistent enough that users should review it before installing.

Install only if you trust the publisher and the configured cloud endpoint. Review audit_config.json before use, keep cloud_audit_url pinned to the intended service, use a least-privilege or read-only database account where possible, and do not assume the query command is read-only.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The documentation claims API-key introspection returns only non-sensitive metadata, yet other documented output reveals whether a dbpw_key exists and that it is retrievable from the cloud path. Even without exposing the secret value directly, this leaks credential-state information that can help an attacker validate key scope and target follow-on credential abuse.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The Python API comment repeats the misleading claim that introspection returns only non-sensitive metadata, conflicting with the documented status output that includes dbpw_key-related information. This can cause integrators to treat the method as harmless and expose its output in logs, UIs, or telemetry where credential-state data should not appear.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest describes cloud audit sync to a fixed endpoint, but the implementation trusts cloud_audit_url from local config and uses it for audit uploads and API-key lookups. That enables silent redirection of SQL metadata, user context, API-key validation traffic, and credential-key retrieval to an attacker-controlled host if the config is modified.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The tool retrieves dbpw_key from a remote API and combines it with a locally stored encrypted environment secret to recover the database password. Because the endpoint is configurable elsewhere, compromise or redirection of that cloud channel can expose the decryption key and lead directly to database credential disclosure and downstream database access.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The `query` command is presented and documented as a SELECT operation, but the implementation explicitly allows arbitrary SQL to be executed. In a CLI with database credentials and outbound/cloud-audit capabilities, this can mislead users or calling agents into running destructive or privileged statements such as `DROP`, `ALTER`, or writes through a path they may assume is read-only.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The inline warning admits the command is 'not limited to SELECT' while the docstring/help still says 'Execute SELECT query', creating a dangerous mismatch between interface contract and actual capability. That kind of misleading documentation is security-relevant because downstream users, wrappers, or agents may grant it lower trust and accidentally permit unsafe SQL execution.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The `tables` command enumerates normal, privileged, and system tables and optionally fields, which meaningfully increases reconnaissance capability. While schema discovery can be legitimate for administration, exposing privileged and system structure goes beyond minimal CRUD and can help an attacker identify sensitive targets and craft follow-on queries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.