ClickHouse

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate ClickHouse helper, but users should be careful because it can save database context locally and includes examples for powerful database operations.

Install only if you are comfortable with an agent helping administer ClickHouse. Do not put database passwords or cloud secrets in ~/clickhouse/ or command URLs; use environment variables, ClickHouse client profiles, or a secret manager. Review generated INSERT, ALTER, DROP, KILL, OPTIMIZE, TTL, and migration commands before running them against real data, and periodically inspect or delete ~/clickhouse/memory.md and ~/clickhouse/schemas/ if you do not want that context retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes examples that embed credentials in a URL and demonstrate direct transmission of data to HTTP and S3 endpoints without any warning about secret handling, TLS requirements, or data exfiltration risk. Even as documentation, these patterns normalize unsafe operational behavior and can lead users to expose passwords in shell history, logs, proxies, or version control.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The schema migration examples show destructive operations like DROP COLUMN and OPTIMIZE TABLE ... FINAL without warning about irreversible data loss, lock/resource impact, or the need for backups and maintenance windows. In an admin-focused skill, users may copy these commands into production, causing unintended deletion or severe performance degradation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document includes `KILL QUERY` examples without an adjacent warning that these commands terminate live workloads and can disrupt users, dashboards, or ingestion jobs if copied blindly. In an admin-focused ClickHouse skill, operators may treat examples as safe defaults, so omitting impact guidance increases the risk of accidental denial of service or interruption of critical analytics processes.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation rule 'Read this silently when `~/clickhouse/` doesn't exist' is broad and state-based rather than tied to explicit user intent, so the skill may initialize unexpectedly. That can lead to unsolicited data collection and file creation before the user understands the skill's behavior.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs the agent to save host, port, database, and authentication method to `~/clickhouse/memory.md` without clearly warning the user that these details will persist locally. Connection metadata and auth method are sensitive operational information that can aid lateral movement, targeting, or unintended disclosure if the workstation or agent storage is accessed.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill directs the agent to write shared table definitions and optimization notes into `~/clickhouse/schemas/` without explicitly disclosing file creation or persistence to the user. Schema artifacts often reveal internal business logic, infrastructure layout, and sensitive field names, so silent local storage increases the risk of accidental exposure.

Ssd 3

Medium

Confidence: 96% confidence
Finding: These instructions tell the agent to persist user connection details and authentication method in internal memory without consent or data-minimization controls. Even if secrets are not stored directly, retaining infrastructure and auth-context data beyond the immediate task creates unnecessary privacy and security exposure.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill broadly instructs the agent to keep records of schemas, table definitions, use cases, and pain points, which can capture proprietary architecture and potentially sensitive business context. Because this storage is framed as internal and not transparently disclosed, users may reveal more than intended and lose control over where that information persists.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # JSON via HTTP curl 'http://localhost:8123/?query=INSERT%20INTO%20events%20FORMAT%20JSONEachRow' \ --data-binary @data.json # With authentication
Confidence: 95% confidence
Finding: curl 'http://localhost:8123/?query=INSERT%20INTO%20events%20FORMAT%20JSONEachRow' \ --data-binary @data.json # With authentication curl 'http://localhost:8123/?user=default&password=xxx' \ --data

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal