AWS Redshift Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AWS Redshift administration skill, but it gives an agent powerful database and AWS control without built-in safety gates.

Install only if you intend to let an agent administer Redshift. Use a dedicated least-privilege AWS profile or role, restrict it to specific clusters/workgroups/namespaces/databases/S3 prefixes, and require human review before delete, restore, resize, pause/resume, COPY, UNLOAD, or non-read-only SQL actions. Avoid production use until those controls are enforced outside the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The catch-all trigger phrase ('or similar keywords') is overly broad and can cause the skill to activate on loosely related prompts. Because this skill can execute SQL and perform infrastructure operations, accidental invocation increases the chance of unintended data access, query execution, or administrative actions in the wrong context.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill prominently exposes destructive and high-impact operations such as create, delete, resize, pause, resume, reboot, restore, COPY, and UNLOAD without an equally prominent safety model requiring confirmation. In the Redshift context, mistaken execution can cause outages, data loss, costly infrastructure changes, or bulk data movement to and from S3.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide recommends using UNLOAD to export query results to S3 but omits any warning that this can exfiltrate sensitive warehouse data, broaden access via S3 bucket policies, or overwrite existing exports when paired with overwrite options. In an agent skill context, documenting a data-export primitive without guardrails increases the chance an agent will perform unsafe bulk extraction or write into an unintended bucket/prefix.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guidance tells users how to share manual snapshots with other AWS accounts but omits an explicit warning that snapshots contain database contents and may expose sensitive data to external principals. In a Redshift administration skill, this omission is security-relevant because users may treat snapshot sharing as a routine operational step without considering data classification, least-privilege review, or whether sharing is actually authorized.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This tool exposes direct execution of arbitrary SQL through an agent-facing interface, including potentially destructive statements such as DROP, DELETE, TRUNCATE, ALTER, or privilege changes. In the context of an autonomous or semi-autonomous agent, the lack of guardrails, confirmation requirements, read-only mode, or statement classification materially increases the risk of accidental or prompt-induced destructive database actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This tool can export arbitrary query results to S3 via UNLOAD, enabling bulk data exfiltration from Redshift to external storage. In an agent skill, the danger is elevated because sensitive datasets could be copied to attacker-controlled or unintended buckets without any disclosure, approval gate, destination validation, or data sensitivity checks.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: This tool performs COPY imports from S3 into Redshift, which modifies database contents and can introduce malicious, corrupted, or unintended data if misused. While this is a legitimate administrative capability, exposing it through an agent without confirmation, source validation, or schema/table restrictions creates a meaningful integrity risk and could also trigger downstream processing on attacker-supplied data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The delete_cluster method directly invokes Redshift cluster deletion and supports skipping the final snapshot, but contains no built-in confirmation, approval gate, or safety interlock. In an agent skill context, this materially increases the risk of accidental or unauthorized destructive actions that can cause irreversible data loss or service outage, especially if higher-level prompting or orchestration is weak.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The delete_cluster tool directly exposes a destructive infrastructure operation without any confirmation, dry-run, or explicit acknowledgement parameter. In an agent-integrated skill, this increases the chance of accidental or prompt-induced deletion of production Redshift clusters, potentially causing outage and data loss if final snapshots are skipped.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The delete_snapshot tool exposes irreversible deletion of backups without any warning or confirmation step. In the context of an agent skill managing Redshift resources, this can remove recovery points through accidental invocation or malicious prompting, increasing the blast radius of other failures or destructive actions.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill exposes a delete_workgroup tool directly to an agent with no built-in confirmation, dry-run mode, or safeguard indicating that the action is destructive. In an agent context, ambiguous user prompts, prompt injection, or tool misuse could cause unintended infrastructure deletion and service disruption.

Missing User Warnings

High

Confidence: 94% confidence
Finding: delete_namespace is more dangerous than ordinary resource deletion because a Redshift Serverless namespace is data-bearing; deleting it can permanently remove databases and associated state if snapshot options are omitted or misused. In an agent-integrated skill, exposing this operation without strong warnings, required snapshot protection, or confirmation materially increases the risk of irreversible data loss from accidental or induced invocation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal