ClawHub

金蝶ERP销售订单执行情况查询

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for ERP database lookup, but it reportedly publishes reusable database credentials and broad discovery queries that users should review before installing.

Do not install this unless the publisher removes the embedded database credentials, rotates the exposed account, and narrows the SQL templates to approved business queries. If you operate the database, treat the credential as compromised and review access logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation directly exposes hardcoded host, port, username, password, and database name for what appears to be a live ERP PostgreSQL instance. Anyone who can read the skill may be able to authenticate to the database and access sensitive procurement, sales, inventory, and financial records, making this a direct secret leakage issue.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The claim that the account is 'read-only' is not a reliable control when the skill publishes reusable credentials directly; readers cannot verify the actual privileges, and the account may have more access than stated. Even if truly read-only, exposure still enables unauthorized data extraction, metadata discovery, and operational intelligence gathering from a production ERP environment.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The template includes schema-enumeration queries against information_schema and record-count discovery that go beyond the stated business purpose of document lookup and analysis. In an agent skill, exposing database metadata broadens reconnaissance capability, making it easier to identify tables and plan further sensitive queries even if the queries are read-only.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The query against t_bos_atomicincr_generator accesses system configuration for numbering rules rather than business documents. This can reveal internal document-generation patterns and system configuration details that are unnecessary for normal business analysis and may aid enumeration or fraud planning.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown reveals live database connection details without protective handling, which is a straightforward credential disclosure vulnerability. In the context of an ERP skill, this is especially dangerous because the database likely contains commercially sensitive and regulated business data, and the examples further assist an attacker in enumerating tables and extracting records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal