ClawHub

DBCheck 数据库巡检

Security checks across malware telemetry and agentic risk

Overview

This database inspection skill appears legitimate, but it needs review because it handles database and SSH credentials, runs remote host checks, and stores sensitive operational data more broadly than its safety notes suggest.

Install only for authorized database environments and prefer least-privileged read-only database accounts. Avoid entering real passwords in command-line arguments or batch spreadsheets, protect generated reports and history.db, keep AI diagnosis disabled unless you are using a trusted local Ollama instance, and do not use the SSH option unless you are comfortable with auto-accepted host keys and remote system inventory collection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            import subprocess
            try:
                return subprocess.check_output(cmd, shell=True, stderr=subprocess.DEVNULL, timeout=30).decode('utf-8', errors='ignore')
            except Exception:
                return ""
Confidence
96% confidence
Finding
return subprocess.check_output(cmd, shell=True, stderr=subprocess.DEVNULL, timeout=30).decode('utf-8', errors='ignore')

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script expands from database inspection into remote host command execution over SSH, which increases the attack surface and trust requirements. Because it executes shell commands on a remote system, misuse, credential compromise, or targeting the wrong host could expose system details or enable unintended remote actions beyond the stated DB check function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The AI diagnosis stage packages database and host-derived metrics and sends them to a configured external backend. That creates an unintended data exfiltration path for operationally sensitive information such as hostnames, uptime, wait events, Top SQL fragments, and risk summaries, which exceeds a strictly local inspection/reporting function. In a DBA tool used on production systems, this context makes the issue more serious because even partial metadata can expose internal architecture and workload details.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code accepts SSH credentials and then executes arbitrary shell commands on remote hosts via `exec_command`, while also automatically trusting unknown host keys. In the context of a database health-check skill, this is a materially stronger capability than necessary and creates a high-value pathway for unauthorized remote command execution if the tool, its configuration, or invoking agent is misused.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The batch workflow creates and reads Excel files containing database and SSH passwords in plaintext, turning the tool into a credential repository. If the spreadsheet is copied, backed up, emailed, or accessed by another local user, those secrets can be reused to access databases and remote hosts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This SQL Server inspection script performs host-level system inventory in addition to database checks, including local collection via psutil and remote collection over SSH. In a database health-checking tool this is broader-than-expected data access and increases privacy and blast-radius concerns, especially because host CPU, memory, disk, hostname, and platform details are gathered and later included in reports and AI analysis.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The SSH client uses paramiko.AutoAddPolicy(), which silently trusts any presented host key instead of verifying the server identity. This enables man-in-the-middle attacks where an attacker can impersonate the target host, capture credentials, and feed back falsified system data to the report.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Remote OS handling is decided by platform.system() on the machine running the script rather than on the SSH target, so the tool may execute the wrong command set against remote systems. This can cause incorrect data collection, failed inspections, misleading reports, and in some environments unintended command execution attempts on the remote host.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The note claims there is 'no network exfiltration whatsoever,' but the tool explicitly connects to user-specified databases, which is still network communication in many deployments. This is primarily a misleading security statement rather than direct malicious behavior, but it can cause users to underestimate exposure of database credentials and query metadata over the network.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
Describing the tool as 'read-only health inspection' is inaccurate in the same document because it also stores credentials locally and writes reports to disk. This can mislead users about side effects, especially in regulated environments where local persistence of secrets and generated reports matters.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill advertises broad natural-language activation such as asking the assistant to inspect a database, without clear scoping or confirmation boundaries. In an agent environment, overly generic trigger phrases can cause unintended invocation of a high-impact skill that collects credentials, connects to databases, and generates reports, increasing the risk of accidental execution against sensitive systems.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The supported instruction examples are ambiguous and resemble ordinary conversation, which raises the chance that the assistant may activate the skill unintentionally. Because this skill can initiate inspection workflows against real databases and solicit privileged credentials, accidental triggering has meaningful security and operational consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code serializes and stores the full inspection context into SQLite via `context_json`, and that context can plausibly contain sensitive operational details such as host information, versions, health findings, and possibly credentials or query text depending on upstream collectors. Persisting the entire raw context without minimization, redaction, encryption, retention controls, or any user disclosure increases the blast radius of local file compromise and creates unnecessary long-term exposure of sensitive database metadata.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The SSH client explicitly disables host key verification by using AutoAddPolicy, allowing silent trust of any presented server key. This enables man-in-the-middle attacks where an attacker can impersonate the target host, capture credentials, and feed back falsified system inspection results.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script sends the full database inspection context to an AI backend if configured, without an explicit consent gate or data-minimization step in this flow. That context can contain sensitive operational metadata, user/account information, SQL text, topology, and security findings, creating a real confidentiality risk when transmitted to external services.

Missing User Warnings

High
Confidence
95% confidence
Finding
The slow-query analysis path may pass query data and related database context to an AI advisor, again without a clear disclosure or confirmation step in the shown code. Slow-query payloads often include SQL text, schema names, literals, and workload patterns, which can reveal sensitive business logic or data characteristics.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting database and SSH passwords via command-line arguments exposes secrets to shell history, process listings, job control logs, and monitoring tools on multi-user systems. In an administrative database-inspection tool, these credentials are especially sensitive because they may grant privileged DB or root-like host access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The SSH client uses `paramiko.AutoAddPolicy()`, which silently trusts and stores any host key presented by the remote server. This disables meaningful host authenticity verification and exposes users to man-in-the-middle attacks, especially dangerous here because the tool handles database and SSH credentials and runs administrative inspection commands on remote hosts.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The tool creates and consumes Excel templates containing database and SSH passwords in plaintext, and even includes example credentials. These files are easy to copy, email, or leave on shared systems, creating a straightforward credential exposure risk that can lead to database or server compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The SSH client sets AutoAddPolicy, which automatically trusts unknown host keys without verification. This enables man-in-the-middle attacks against the SSH session, allowing an attacker to intercept credentials or feed falsified OS inspection data. Because this tool is intended for remote database host inspection, the trust model matters and the risk is meaningful in real environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The collector gathers sensitive host data including hosts entries, sysctl values, limits.conf, crontab, network addresses, and selected passwd entries, but this file provides no clear user-facing disclosure of that breadth of collection. In an admin tool, collecting such data may be legitimate, yet undisclosed collection raises privacy and operational security concerns, especially when combined with reporting and optional AI export paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
AI diagnosis can transmit internally derived database/system metrics to an external service, and this file does not show an explicit warning or confirmation step before doing so. Even if no raw credentials are sent, metadata such as SQL identifiers, SQL text fragments, hostnames, and performance symptoms can be sensitive and useful for reconnaissance. The skill context increases risk because production DBA tools often handle confidential infrastructure details.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Using `paramiko.AutoAddPolicy()` silently trusts any presented SSH host key, which defeats host authenticity checks and enables man-in-the-middle interception of credentials and command output. Because this tool handles SSH passwords/keys and runs remote commands, the surrounding context makes this especially dangerous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The template intentionally includes fields for database and SSH passwords and saves example plaintext secrets into an Excel file, normalizing insecure secret handling. That creates an immediate disclosure risk from local compromise, accidental sharing, or routine office file handling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Auto-accepting SSH host keys without a clear warning removes a key integrity control for remote administration. Users may believe they are securely connecting to a known server while the tool silently trusts an attacker-controlled endpoint, exposing SSH passwords or private-key-authenticated sessions to interception.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal