ClawHub

Sql Buddy

Security checks across malware telemetry and agentic risk

Overview

This database assistant is not malware, but it needs Review because it overstates safety while handling database credentials, write execution, schema metadata, and row samples in sensitive ways.

Install only if you are comfortable giving the skill access to the target databases and possible model prompts containing schema details and small row samples. Use least-privilege read-only database accounts, avoid saving passwords through the skill, and do not enable allow_write on production data unless you have reviewed the generated SQL yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module claims to be a safe, read-only executor, but the enforcement path is broken: the code imports `is_read_only_query` directly yet calls `security.is_read_only_query(sql)`, which will raise and prevent the intended safety check from functioning. In addition, all backend helpers include commit paths for non-SELECT statements, so if the guard is fixed incorrectly or bypassed, destructive writes can execute despite the safety claims.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation states that parameterized queries are used, but every execution path passes the full SQL string directly to `cursor.execute(sql)` with no parameter binding. In a skill that converts natural language into SQL, this mismatch is dangerous because downstream components or users may trust the safety claim and allow untrusted input to flow into raw SQL execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module claims to enforce read-only SQL safety, but `is_read_only_query` defaults to allowing any unrecognized statement by returning `True`. In a natural-language-to-SQL assistant, that fail-open behavior can let dangerous dialect-specific or obfuscated write operations bypass the guard, especially when this function is relied on as the policy check before execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code saves the full connection configuration, including database passwords, directly to a local JSON file in the user's home directory. This is dangerous because local plaintext credential storage can expose secrets to other local users, malware, backups, or accidental file disclosure, and the code explicitly prioritizes convenience over secure secret handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The PostgreSQL execution path commits non-SELECT operations automatically, with no confirmation or secondary authorization at the point of execution. In a tool marketed as safe and read-only by default, silent commits increase the chance of accidental or unauthorized data modification if the write gate is enabled or bypassed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt sent to the LLM includes raw query text, generated SQL, column names, sample row values, and numeric summaries with no redaction, minimization, or user consent boundary. In a SQL assistant, query results often contain sensitive business or personal data, so forwarding them wholesale to an external model can cause unintended data disclosure and prompt-injection exposure through malicious row contents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function explicitly formats database schema metadata for inclusion in an LLM prompt, which can disclose internal table names, column names, keys, defaults, comments, and relationship structure to an external model or downstream logging/telemetry pipeline. While no row data is included, schema metadata is often sensitive because it reveals business entities, security-relevant fields, and attack surface, and this skill’s purpose of converting natural language to SQL makes such transmission a core workflow rather than an incidental edge case.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal