Back to skill

Security audit

Aloudata CAN SKILLS - text-to-sql-query

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Text-to-SQL database helper, but it gives an agent credentialed live access to sensitive retail and member data without a clear confirmation or data-minimization gate.

Install only in environments where CAN_API_KEY is read-only, least-privilege, and limited to the listed tables. Treat every run as a live database query: review the generated SQL first, avoid returning member names, VIP IDs, order numbers, seller names, or other identifiers unless explicitly authorized, and keep filters and LIMIT values tight.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill advertises a very broad trigger surface for querying retail data and generating/executing SQL, without meaningful activation constraints or user-consent gates. In an agent setting, this increases the chance the skill is invoked on ambiguous prompts and sends sensitive business questions or generated SQL to a live database unnecessarily.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directly generates and executes SQL against a production-like retail database, but it does not require a user-facing warning that natural-language requests will be transformed into outbound database queries. This is risky because user prompts may contain customer, sales, or proprietary business data, and the skill encourages immediate execution rather than informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents use of an API key and outbound transmission to a remote gateway but gives no user-facing warning about secret use, remote processing, or the sensitivity of query contents and results. In this context, the combination of credentialed access and direct database querying materially raises the risk of unauthorized or unexpected exposure of internal retail data.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import os, requests

response = requests.post(
    "https://gateway.can.aloudata.com/api/jdbc/query",
    headers={
        "X-API-Key": os.environ["CAN_API_KEY"],
Confidence
91% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import os, requests

response = requests.post(
    "https://gateway.can.aloudata.com/api/jdbc/query",
    headers={
        "X-API-Key": os.environ["CAN_API_KEY"],
Confidence
91% confidence
Finding
requests.post( "https://gateway.can.aloudata.com/api/jdbc/query", headers={ "X-API-Key": os.environ["CAN_API_KEY"], "Content-Type": "application/json" }, json=

External Transmission

Medium
Category
Data Exfiltration
Content
**方式一:curl(推荐,适合 Bash 环境)**
```bash
curl --noproxy '*' -s \
  -H "X-API-Key: $CAN_API_KEY" \
  -H "Content-Type: application/json" \
  -X POST "https://gateway.can.aloudata.com/api/jdbc/query" \
Confidence
90% confidence
Finding
curl --noproxy '*' -s \ -H "X-API-Key: $CAN_API_KEY" \ -H "Content-Type: application/json" \ -X POST "https://gateway.can.aloudata.com/api/jdbc/query" \ -d '{"sql": "YOUR SQL HERE"}' ``` **方式

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.