ClawHub

Museum Data Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed museum database tool, but it gives an agent unrestricted MySQL query power that could change or delete data.

Install only if you trust the workflow that will call it and can provide a least-privilege MySQL account. Prefer a read-only database user unless writes are truly needed, avoid root or GRANT ALL credentials, review every custom SQL statement before execution, keep backups, and choose export paths carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documented `museum query "SQL_STATEMENT"` interface explicitly permits arbitrary SQL execution, which exceeds the otherwise operational/read-oriented framing of the skill. In an agent context, this enables destructive statements such as `DROP`, `DELETE`, `UPDATE`, file-writing features, or privilege-affecting queries if the backing account is overprivileged, making accidental or prompt-induced damage plausible.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The tool intentionally exposes a `query` command that executes arbitrary SQL supplied by the user, which goes beyond ordinary museum lookup and reporting operations. In a skill/agent context, this enables destructive statements such as DROP, DELETE, UPDATE, or privilege-changing commands if the database account permits them, making the skill far more dangerous than its stated purpose suggests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises raw SQL execution with no warning that commands may be destructive or irreversible. Because the same document also suggests broad database privileges and operational use by agents, users may reasonably issue dangerous SQL or allow an LLM-driven workflow to do so, resulting in data loss, corruption, or unauthorized modification.

Missing User Warnings

High
Confidence
99% confidence
Finding
The custom SQL execution path accepts any SQL statement and forwards it directly to the database with no restriction, safety checks, or warning. If exposed to an agent or untrusted user input, it can be used to read sensitive data, alter records, destroy tables, or abuse database-side capabilities depending on account privileges.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal