Back to skill

Security audit

Simpleerp DB

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent read-only SimpleERP Oracle database helper, but it warrants Review because it handles live database credentials, can persist them locally, and instructs agents to run live queries without a confirmation step.

Install only with a least-privilege read-only Oracle account. Avoid using the sync-env path for real passwords when possible; prefer short-lived environment injection or a protected secret manager, delete any workspace .env after use, and review queries before allowing the agent to run against production or sensitive ERP data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs persisting user-supplied database credentials into a workspace `.env` file. Persisting secrets to disk expands their lifetime and exposure surface beyond the immediate read-only query operation, increasing the risk of accidental reuse, leakage through logs, commits, or later workspace access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented capability to run `npm run sync-env` and persist `DB_*` values is not necessary for the stated purpose of read-only SQL execution and schema export. Adding a credential-retention path without a clear functional need creates avoidable secret-handling risk and broadens the skill's behavior beyond least privilege.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The line instructs the agent to treat repository files as mutable session memory and to update them each session, which expands the skill from read-only database analysis into modifying local files. In an agent setting, this can lead to unauthorized workspace changes, persistence of sensitive query results or prompts, and behavior that contradicts the stated read-only purpose of the skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script persists Oracle credentials, including DB_PASSWORD, into a workspace .env file in plaintext. Even if intended for convenience, writing long-lived secrets to disk increases exposure through source-control mistakes, backups, other local tooling, or broader workspace access, and it expands the skill beyond a strictly read-only query role into credential handling.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The instruction to 'Read them. Update them.' grants the skill a persistence and file-modification behavior that exceeds its stated purpose of read-only Oracle querying and schema export. This can lead the agent to alter local documentation or memory files without explicit user authorization, creating a path for unauthorized state changes, instruction persistence across sessions, or tampering with future agent behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script persists DB credentials from CLI arguments or environment variables into a workspace-local .env file, creating a durable secret at rest that may be unintentionally exposed through source control, workspace sharing, backups, or other local tooling. For a skill described as a read-only SQL/schema helper, long-term secret storage is not strictly necessary to answer database questions and increases the attack surface beyond transient runtime use.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
This code adds a local secret-persistence capability that is broader than the stated purpose of performing read-only SQL queries and schema export. Even if the database account is intended to be read-only, persisted credentials can still be reused by any process or user with access to the workspace, enabling unauthorized database access and expanding the blast radius of credential compromise.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation description is broad enough to trigger on many generic database-related requests, which can cause the agent to invoke a credentialed, live-database skill more often than necessary. In this context, over-broad activation increases the chance of unnecessary access to sensitive enterprise schema metadata or execution of ad-hoc queries when a safer, non-live alternative might suffice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown tells the agent to update its memory files without disclosing to the user that repository files may be modified as part of normal operation. This creates a transparency and integrity risk: the agent may silently alter project files, potentially storing sensitive ERP-derived information or changing skill behavior across runs without explicit user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly shows passing `--db-password` on the command line, which can expose secrets through shell history, process listings, audit logs, terminal recording, or CI job logs. In this skill's context, the credentials are for a live Oracle-backed SimpleERP environment, so disclosure could enable unauthorized database access even though the skill is described as read-only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The playbook explicitly directs the agent to execute database queries automatically whenever the task appears to need a DB read and credentials are present. Even though the script is limited to SELECT/WITH/EXPLAIN PLAN, autonomous execution against a live database can expose sensitive business data, trigger overly broad queries, and bypass a meaningful user confirmation step for access to production-like systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown directs the agent to update local memory files but does not warn the user that using the skill may modify repository files. In a skill advertised for read-only database analysis, silent local file changes are risky because they can surprise users, corrupt references, or plant persistent instructions that affect later sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This file explicitly encourages persistent collection and updating of personal profile details about the user, including name, preferred form of address, timezone, and free-form notes, without any stated minimization, retention, consent, or privacy safeguards. In a database-access skill that already handles enterprise data and credentials, normalizing ad hoc user profiling increases the risk of unnecessary sensitive-data accumulation and later misuse or leakage.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
When the user’s task needs a DB read or schema regeneration, **execute the commands yourself** in this workspace—do not only tell the user what to run, and **do not ask** whether it is OK to run `run-sql.mjs` or `gen-table-index.mjs` when the task clearly needs them.

- **Automatic runs:** If `DB_*` credentials are available, run `npm run sql -- "<QUERY>"` immediately. Run `npm run table-index` when regenerating references. Ensure `npm install` once if modules are missing.
- **Credentials missing:** Do not prompt for passwords. Let the script fail; tell the user only that `DB_*` must be set (see `.env.example`), without asking them to paste secrets into chat.
- **Scope:** Use **only** `SELECT` / `WITH` / `EXPLAIN PLAN` through this script.
Confidence
93% confidence
Finding
without asking

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
When the user’s task needs a DB read or schema regeneration, **execute the commands yourself** in this workspace—do not only tell the user what to run, and **do not ask** whether it is OK to run `run-sql.mjs` or `gen-table-index.mjs` when the task clearly needs them.

- **Automatic runs:** If `DB_*` credentials are available, run `npm run sql -- "<QUERY>"` immediately. Run `npm run table-index` when regenerating references. Ensure `npm install` once if modules are missing.
- **Credentials missing:** Do not prompt for passwords. Let the script fail; tell the user only that `DB_*` must be set (see `.env.example`), without asking them to paste secrets into chat.
- **Scope:** Use **only** `SELECT` / `WITH` / `EXPLAIN PLAN` through this script.
Confidence
92% confidence
Finding
without asking

Credential Access

High
Category
Privilege Escalation
Content
2. Read references/table-reference.md or table-index.md as needed for correct table and column names.
3. **You** choose the read-only Oracle SQL (SELECT or WITH only) that answers ${QUESTION}. Use FETCH FIRST 50 ROWS ONLY unless a count or aggregate alone is enough.
4. Run the query (cross-platform):
   - If .env is not set: node scripts/sync-db-env.mjs --db-user="${DB_USER}" --db-password="${DB_PASSWORD}" --db-connect-string="${DB_CONNECT_STRING}"
   - Then: npm run sql:save -- "<your SELECT here>"
   - Or one shot: node scripts/run-sql.mjs --db-user=... --db-password=... --db-connect-string=... -o output/last-query.json "<your SELECT>"
5. Read output/last-query.json and reply with:
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
throw e;
  }

  const skillEnv = path.join(SKILL_ROOT, '.env');
  if (fs.existsSync(skillEnv)) {
    dotenv.config({ path: skillEnv });
  }
Confidence
81% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
import path from 'path';
import { SKILL_ROOT } from './lib/paths.mjs';

const ENV_PATH = path.join(SKILL_ROOT, '.env');

const FLAG_MAP = {
  '--db-user': 'DB_USER',
Confidence
88% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
2. Read references/table-reference.md or table-index.md as needed for correct table and column names.
3. **You** choose the read-only Oracle SQL (SELECT or WITH only) that answers ${QUESTION}. Use FETCH FIRST 50 ROWS ONLY unless a count or aggregate alone is enough.
4. Run the query (cross-platform):
   - If .env is not set: node scripts/sync-db-env.mjs --db-user="${DB_USER}" --db-password="${DB_PASSWORD}" --db-connect-string="${DB_CONNECT_STRING}"
   - Then: npm run sql:save -- "<your SELECT here>"
   - Or one shot: node scripts/run-sql.mjs --db-user=... --db-password=... --db-connect-string=... -o output/last-query.json "<your SELECT>"
5. Read output/last-query.json and reply with:
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
import path from 'path';
import { SKILL_ROOT } from './lib/paths.mjs';

const ENV_PATH = path.join(SKILL_ROOT, '.env');

const FLAG_MAP = {
  '--db-user': 'DB_USER',
Confidence
88% confidence
Finding
.env'

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup.mjs:30

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
simpleerp-db-clean/scripts/setup.mjs:30