ClawHub

timeplus-sql-guide

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Timeplus SQL helper, but it can make persistent database changes, install server-side Python packages, run embedded code, and send data to outside services without strong user-confirmation guidance.

Use this only with trusted Timeplus environments and scoped, low-privilege credentials. Prefer HTTPS or a protected local network, review every generated command before execution, and require explicit approval before CREATE, DROP, INSERT, DELETE, UDF creation, SYSTEM INSTALL PYTHON PACKAGE, sink creation, or any webhook/external connector that can transmit data outside Timeplus.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs the agent to run `SYSTEM INSTALL PYTHON PACKAGE 'faker'` and create a `LANGUAGE PYTHON` UDF, which expands the skill from SQL assistance into server-side package installation and code execution. In the context of an agent that can execute SQL over HTTP, this is dangerous because a user asking for synthetic data could indirectly trigger environment modification and executable code deployment on the database server.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation expands the skill's effective capability beyond the stated SQL-over-HTTP interface by introducing a separate management API on port 8000 using an API key. This can cause an agent or user to perform privileged sink-management actions, including creating outbound connectors, under the mistaken assumption that the skill only executes SQL on port 8123. The mismatch increases the risk of unauthorized data egress and privilege misuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation expands the skill’s capabilities beyond local SQL execution by introducing Remote UDFs that call external HTTP webhooks. In this skill context, that broadens the trust boundary and can enable outbound data transfer or invocation of arbitrary external services without clearly warning users about the security implications.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The package installation guidance encourages adding arbitrary Python libraries, including networking-capable ones such as requests, which materially increases what embedded UDFs can do. In a SQL guide skill, this can enable unbounded code execution patterns, external communications, and supply-chain risk beyond the expected SQL-only scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages executing broad SQL operations including DDL, DML, ingestion, sinks, and UDF-related workflows without any safety gate, confirmation requirement, or warning about destructive changes and outbound data flows. In an agent setting, this can cause unauthorized schema changes, data modification, or exfiltration if a user prompt or indirect prompt injection leads the model to run commands automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents sending SQL over plain HTTP using environment-supplied credentials but does not warn about transport security, credential handling, or the sensitivity of transmitted queries and results. This creates a real risk of credential leakage or interception on untrusted networks and may expose sensitive data in transit.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This example defines a Python UDF that sends alert data to a Slack webhook, but the documentation does not clearly warn that using it will cause outbound network transmission of stream-derived data. In a skill that helps users write and execute Timeplus SQL, this is meaningful because users may copy the example into a live environment and unintentionally exfiltrate operational data to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes examples that send credentials over plain HTTP and even embeds credentials directly in a URL. This can leak usernames and passwords via network interception, shell history, logs, proxy logs, or process inspection, which is especially risky because this skill is explicitly designed to execute SQL against a live service using environment-provided credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This guide includes multiple examples that transmit data to external services (HTTP webhooks, WebSocket feeds, third-party APIs) without any explicit privacy, security, or data-sharing warning. In a skill that helps users execute SQL and embed Python code directly into streaming pipelines, such examples can normalize sending live event payloads off-platform and may lead users to exfiltrate sensitive production data unintentionally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown presents package installation and Python UDF creation as normal setup steps without any warning that they perform code execution and persistent environment changes. That omission increases the chance an automated SQL agent will execute these commands without appropriate scrutiny, potentially enabling arbitrary Python execution or unauthorized software changes on the Timeplus host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples show multiple ways to send data to Kafka, databases, S3, Slack/webhooks, and management APIs without any user-facing warning that these operations transmit data outside Timeplus. In an agent setting, this omission is dangerous because users may request analytics help while the skill also normalizes exfiltration-capable patterns, making accidental or unauthorized outbound data transfer more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The curl examples use credentialed HTTP with basic auth variables and do not warn about transport security, shell history, logging, or exposure to intermediaries. If used over plain HTTP or in shared environments, credentials and administrative actions could be intercepted or leaked.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Describing Remote UDFs as calling external APIs without any warning obscures that query data or derived data may be transmitted outside the database environment. In this context, users may treat the skill as a local SQL guide and miss that it enables outbound data flow to third-party systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal