Back to skill

Security audit

Database Schema Differ

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned database schema diff and migration-generation skill, but users should treat its generated SQL and example credentials carefully.

Install only if you are comfortable giving the skill database connection details for the databases you choose. Use environment variables or a secrets manager instead of putting real passwords in command lines, inspect generated SQL for DROP or constraint changes, back up data, and apply migrations manually through your normal review process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README includes example commands with inline database credentials embedded directly in connection URLs. Even if the values appear illustrative, this normalizes unsafe handling of secrets and can lead users to paste real credentials into shell history, process lists, CI logs, or shared documentation, causing credential exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A schema differ that generates migration scripts can produce destructive SQL such as DROP TABLE, DROP COLUMN, or constraint changes, yet the description does not prominently warn users to review generated migrations before applying them. In operational contexts, users may treat generated SQL as safe automation and unintentionally cause data loss or production outages.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples embed credential-bearing database URIs directly in commands without any privacy or secret-handling warning. Users may copy real credentials into shell history, CI logs, process listings, shared screenshots, or generated reports, leading to credential exposure and downstream database compromise.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The tool writes generated migration output directly to a user-supplied path and emits destructive SQL such as DROP COLUMN and DROP TABLE rollback logic without confirmation, overwrite protection, or prominent warnings. In a schema-management skill, users may trust generated migrations and execute them in automation, so unsafe defaults can cause accidental destructive changes or clobber important files if an unintended path is supplied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.