ClawHub

Schema Migrator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform destructive database index changes under a migration-oriented description, without clear user approval or safety controls.

Install only after the publisher clearly documents that the skill drops indexes, exactly which database and indexes it can affect, how recommendation.json is produced and trusted, and how to preview, approve, audit, and roll back changes. Use least-privilege database credentials and test on a non-production copy first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill metadata says it applies pending migration files, but the documented behavior is to read a recommendation file and drop indexes. This mismatch is dangerous because operators or automated systems may grant the skill privileges or invoke it expecting routine migrations, while it actually performs destructive schema changes that can degrade performance, break constraints, or cause outages.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest advertises migration execution, but the body describes consuming /root/.schema/recommendation.json and deleting indexes instead. That discrepancy can mislead users, orchestration agents, or review gates into authorizing a skill with broader or different side effects than expected, increasing the chance of unintended destructive database operations.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
Contradictory purpose statements within the same skill create an unsafe trust boundary: reviewers may approve it as a standard migration tool while runtime behavior targets index cleanup. In database automation contexts, this ambiguity is especially dangerous because schema-changing actions are often privileged and can have immediate production impact.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill's stated purpose is to apply pending migration files, but the implementation instead loads an external recommendation JSON and performs destructive schema changes by dropping indexes. This hidden capability creates a strong mismatch between advertised behavior and actual behavior, allowing an operator or upstream component to trigger index deletion on the production database without expecting destructive actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code grants direct index-deletion capability even though that behavior is not justified by the skill's documented function. In context, this makes the skill more dangerous because a caller expecting routine schema migrations may unknowingly execute destructive performance-impacting changes sourced from an external file.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents destructive index deletion without any warning, confirmation, rollback guidance, or impact discussion. In a database-maintenance context this increases the likelihood of accidental execution, causing query regressions, lock contention, failed deployments, or loss of uniqueness enforcement if the wrong indexes are removed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script drops indexes immediately with no warning, dry-run mode, approval gate, or safety checks about whether those indexes are critical for performance or constraints. An attacker or misconfigured process that writes recommendation.json could degrade database performance, increase query latency, or disrupt dependent operations while the tool still reports completion.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal