Back to skill

Security audit

database-admin

Security checks across malware telemetry and agentic risk

Overview

This database-admin skill should be reviewed because it exposes live-looking PostgreSQL credentials and includes scripts aimed at a specific RoadFlow database.

Review before installing. Treat the exposed database password as compromised and rotate it, remove hardcoded connection details, use environment variables or a secret manager, run with least-privilege credentials, and require explicit confirmation or dry-runs before schema changes, restores, cleanup, benchmarks, or bulk updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill file contains hardcoded PostgreSQL credentials and a specific internal host for a live-looking database target. This is highly dangerous because anyone with access to the skill can reuse those secrets to connect to the database, exfiltrate or modify data, and pivot into the internal network; the fact that this is a database-admin skill makes the exposed credentials especially powerful rather than contextualizing them away.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function advertises a whole-database backup but only writes a hardcoded placeholder SQL stub, creating a false sense of protection. In a disaster-recovery context, operators may rely on these files and later discover that no real data was preserved, causing permanent data loss and failed recovery when backups are needed most.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The restore routine claims to restore a database but only reads the file, performs a minimal non-empty check, and returns simulated success. This can mislead administrators into believing recovery succeeded, delaying incident response and potentially causing extended outage or irreversible data loss.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The helper is documented as executing SELECT queries, but executeQuery passes arbitrary SQL directly to pool.query without enforcing read-only behavior. In a CLI/database-helper context, this can enable destructive statements such as INSERT, UPDATE, DELETE, DROP, or DDL if untrusted input reaches this function, making the mismatch materially dangerous rather than merely a documentation issue.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The benchmark function executes arbitrary user-supplied SQL directly against the connected PostgreSQL instance in a loop. This turns a query-analysis utility into a general-purpose database execution tool, allowing destructive or state-changing statements such as INSERT, UPDATE, DELETE, DDL, or expensive queries to be run repeatedly, which can damage data or degrade availability.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The index report query interpolates the user-controlled tableName directly into a SQL string without parameterization or identifier validation. An attacker can inject SQL through the table name argument, potentially executing arbitrary commands against the database with the tool's privileges, which is especially dangerous because this function is presented as harmless metadata inspection.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The function claims to migrate in batches, but repeatedly executes the same full-table INSERT ... SELECT without LIMIT/OFFSET, cursoring, or deduplication. This can duplicate data many times, rapidly grow tables, and create severe database load or outages; because table names and condition values are interpolated directly, it also compounds the risk of SQL injection if untrusted input reaches this path.

Missing User Warnings

High
Confidence
88% confidence
Finding
The skill explicitly advertises destructive operations such as DROP TABLE, DROP INDEX, TRUNCATE, and restore actions without any warning, confirmation flow, scope limits, or safety guidance. In an agent setting, this increases the chance of accidental or unsafe execution that can cause irreversible data loss or service disruption, especially because the skill is framed as a general-purpose admin capability.

Missing User Warnings

High
Confidence
98% confidence
Finding
Beyond merely describing connectivity, this section exposes exact connection parameters and secret material with no privacy or security warning, effectively turning the skill into a credential disclosure vector. Because the skill's purpose is privileged database administration, disclosure here materially enables direct unauthorized access and misuse of production-like infrastructure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code retrieves complete records from the rf_form table and prints all fields to stdout, which can expose sensitive HR, attendance, leave, or payroll data to logs or any user with access to execution output. In this context, the database appears to contain personnel-related forms, so unrestricted dumping of full contents materially increases confidentiality risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script contains hardcoded PostgreSQL host, username, and password credentials, which exposes direct database access to anyone who can read the file. Because the credentials target an internal database holding HR-related forms, compromise could enable unauthorized data access, bulk extraction, or further lateral movement within the environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints database metadata, record counts, form names, and a full sample row directly to stdout. If run in shared terminals, CI logs, support bundles, or centralized log systems, this can expose sensitive business or personal data beyond the intended audience.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Hardcoded PostgreSQL credentials are embedded directly in source code, including host, username, and password. If the file is shared, committed, or exposed through backups or logs, an attacker could use these credentials to access the database and extract or modify data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide documents backup, restore, and cleanup operations that can overwrite data, restore untrusted dumps, or delete retained backups, but it does not include warnings about testing restores, verifying target environments, or confirming destructive actions. In a database administration skill, such omissions increase the chance of accidental data loss or unsafe recovery procedures, especially when commands are copied directly into production workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The schema migration examples show irreversible operations such as altering column types, adding columns, and migrating data without warning about lock contention, compatibility risks, rollback planning, or pre-migration backups. In production database contexts, users may execute these examples verbatim, causing outages, failed migrations, or data corruption if the change is not reversible or carefully staged.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The production backup workflow advises uploading database backups to remote storage but omits warnings about encrypting backups, restricting bucket access, protecting credentials, and avoiding exposure of sensitive data in transit or at rest. Because backups often contain full datasets, weak guidance here can lead to mass data disclosure if operators store dumps in misconfigured or publicly accessible locations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cleanup routine deletes files irreversibly based only on age, without confirmation, dry-run support, path safety checks, or filtering to known backup filenames. In a backup utility, accidental or misconfigured deletion is especially dangerous because it can destroy the very recovery artifacts needed after an incident.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool accepts user-provided SQL/table input and executes it on a live database, but it does not clearly warn users that real statements will run and may have side effects. In this context, that omission materially increases the chance of accidental destructive execution because the script is framed as an analyzer/optimizer rather than an executor.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.