ClawHub

Databricks

Security checks across malware telemetry and agentic risk

Overview

This Databricks skill is coherent, but it gives an agent broad authenticated power over Databricks resources without clear safety limits.

Install only if you trust Membrane and intend to let the agent operate in your Databricks workspace. Use a least-privileged Databricks account or connection, avoid admin credentials, and require explicit review of the target resource, HTTP method, path, and payload before any create, update, run, stop, or delete operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation trigger is broad enough that the skill could be selected for many generic 'Databricks data' requests without narrowing the scope to read-only or low-risk tasks. In a capability-rich integration that includes cluster, job, notebook, and proxy operations, overbroad routing increases the chance the agent invokes high-impact actions in situations where the user did not clearly authorize administrative changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation enumerates start/stop/edit/run/create/delete-style Databricks operations but provides no warning that these actions can change infrastructure state, incur cost, interrupt workloads, or delete resources. In an agent setting, missing confirmation and safety expectations can lead to unintended execution of destructive or costly operations from ambiguous user prompts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy request feature enables arbitrary authenticated Databricks API calls, including endpoints that can modify or delete resources, but the skill does not warn about that power or impose safety boundaries. This materially increases risk because it bypasses the safer semantics of curated actions and could be used to perform broad state-changing operations with little transparency.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal