NocoDB Skiils

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate NocoDB integration, but it gives an agent broad authority to delete data, change access, upload local files, and manage API tokens without strong safety guardrails.

Install only if you are comfortable letting the agent act with the full permissions of the supplied NOCODB_TOKEN. Use a least-privilege token, avoid production data until tested, and require explicit human confirmation before deletes, bulk updates, membership changes, file uploads, script changes, or token:create/token:delete commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The declared description omits sensitive capabilities such as API token lifecycle management, which can create or revoke credentials with broader downstream access than ordinary data operations. A behavior-description mismatch reduces informed consent and can cause users or agents to invoke credential-affecting actions unexpectedly.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script exposes powerful administrative capabilities well beyond ordinary database CRUD, including workspace/base membership management, team management, script management, and API token creation/deletion, while the stated skill description only says it can 'access and manage NocoDB databases via REST APIs.' In an agent setting, this mismatch is dangerous because users and higher-level policy systems may grant the skill assuming limited data operations, while the implementation can alter permissions, invite/remove members, and mint or revoke credentials.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation includes destructive operations such as delete commands for workspaces, bases, tables, fields, views, and records without warning about irreversibility or data loss. In an agent setting, omission of cautionary guidance increases the chance of accidental destructive actions against production data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The attachment upload command transmits a local file path to a remote NocoDB service, but the docs do not warn that local files leave the host environment. In agent workflows, this can lead to unintended exfiltration of sensitive local data if a user or model supplies the wrong file path.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: API token commands handle highly sensitive credentials, yet the docs provide no warning about the security impact of creating, listing, or deleting tokens. Exposure or misuse of these commands can enable unauthorized access, privilege expansion, persistence, or service disruption depending on token scope.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal