Back to skill

Security audit

database-doc-generator

Security checks across malware telemetry and agentic risk

Overview

The skill can generate PostgreSQL schema documentation, but it also bundles broader file-changing credential cleanup and risky credential-handling examples that users should review before installing.

Use this only with a read-only database account and avoid pasting real passwords into prompts, shell history, or committed config files. Review and avoid scripts/clean_credentials.py unless you intentionally want broad repository edits and have backups. Prefer environment variables or a secret manager, keep generated Excel files in a protected location, and treat the incident-response examples as reference material rather than commands to run automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior extends beyond simple schema export into security auditing, scanning project files for credential references, modifying files in place, creating backups, and deleting them later. That expansion of scope is dangerous because users invoking a documentation skill would not reasonably expect source-tree inspection and mutation, which can expose secrets, alter unrelated files, or damage project state.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The Dockerfile example embeds default database credential environment variables directly into the image with ENV instructions. Even though the values are examples, baking credential-shaped defaults into an image normalizes insecure practice and can leak via image inspection, inherited layers, or accidental deployment with defaults unchanged.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script is unrelated to the stated purpose of generating PostgreSQL schema documentation and performs repository-wide credential-scrubbing and file rewriting instead. Even if framed as a hygiene tool, bundling broad file-modification logic into an unrelated skill increases the chance of unexpected tampering, concealment of sensitive artifacts, or accidental alteration of project files beyond the user's intended task.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code recursively scans a root directory, rewrites matching files, creates backup artifacts, and optionally deletes all .bak files under the tree. That is broad local file modification behavior unrelated to documentation generation, and in a skill context it is dangerous because it can alter source, docs, configs, or other local assets with minimal user awareness and with patterns that are not safely constrained.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The CLI and config handling inconsistently use a nonstandard credential field name, 'EXAMPLE_PASSWORD', while examples and surrounding text refer to normal password usage. This mismatch can cause operators to place secrets in the wrong parameter or config key, leading to failed authentication, accidental secret exposure in logs/scripts, and insecure workarounds. In a database-documentation skill, credential handling is core functionality, so confusing secret inputs increases operational security risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README shows prompts and connection examples that include plaintext usernames and passwords, which normalizes secret sharing in chat prompts and command examples. Even though placeholder values are used, this can lead users to paste real database credentials into agent conversations, logs, shell history, or telemetry, exposing access to production databases.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.