ClawHub

Middleware Query

Security checks across malware telemetry and agentic risk

Overview

This read-only database helper is mostly coherent, but it needs Review because unclear requests can trigger a broad users-table query and prompts may be sent to OpenAI when an API key is present.

Review before installing. Use only dedicated read-only, least-privileged database accounts; avoid production profiles unless explicitly approved; unset `OPENAI_API_KEY` if prompts or schema context must stay local; fix or disable the default `users`-table fallback before broad use; protect `connections.json`; and clean up generated plan files that may reveal sensitive query details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities that involve environment-variable access, reading and writing local files, and invoking script-based executors, yet it declares no explicit permissions. That mismatch weakens security review and runtime governance because an agent may use sensitive capabilities such as credential loading from env vars or local connection files without transparent authorization boundaries. In this context, the danger is elevated because the skill handles database credentials and local data sources, so undeclared file/env access can expose secrets or broaden access beyond what users expect.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The planner sends raw user request text to an external OpenAI API, which expands the skill's trust boundary beyond the local databases/middleware described in the metadata. In a database-query skill, user prompts may contain sensitive business data, key names, hostnames, credentials, or internal schema details, so undisclosed remote transmission creates a real data exposure risk even if the API call is only used for planning.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Reading OPENAI_API_KEY from the environment enables a remote capability unrelated to the stated read-only local middleware querying purpose, making network egress possible whenever that secret is present. In practice this means deployment configuration alone can silently change the skill from local-only behavior to external data sharing, which is a meaningful security and privacy risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script accepts Mongo connection parameters from process environment variables, even though the skill description emphasizes explicit connection configuration. This expands the trust boundary beyond user-supplied arguments/profile files and can cause the executor to silently connect to unintended databases using ambient secrets present in the runtime, undermining predictability and policy enforcement.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
For any input not matched as Redis or Mongo, the router emits a fixed MySQL query against a hard-coded `users` table. In a skill advertised as natural-language read-only querying, this can cause unintended disclosure of user records unrelated to the request, violating least privilege and user intent. The skill context makes this more dangerous because it is explicitly designed to connect to local databases and execute the generated plan deterministically.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples explicitly demonstrate querying user and order records from MySQL, Redis, and MongoDB, which commonly contain personal, financial, or operationally sensitive data. Even though the skill is described as read-only, documentation that normalizes direct access to such records without privacy, authorization, or data-minimization guidance increases the risk of inappropriate data exposure and misuse.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The examples recommend storing generated execution plans under /tmp, a location that may be broadly readable by other local users or exposed through debugging, backups, or temporary-file collection practices. If the plan contains natural-language requests, collection names, key patterns, filters, or other operational context, this can leak sensitive query intent or data access details.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code forwards user request content to an external LLM service without any user-facing disclosure, consent, or warning. Because natural-language database queries often include sensitive internal data requests and infrastructure context, this undisclosed sharing is especially risky in this skill context and can violate user expectations or data-handling requirements.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal