ClawHub

database_skill

Security checks across malware telemetry and agentic risk

Overview

This is a real database helper, but it can modify databases and automatically save connection details in a temp file in ways users should review first.

Install only if you intend to let the agent connect to real databases. Use least-privileged or read-only accounts by default, avoid production credentials for exploration, review every UPDATE/DELETE and batch SQL file before running it, do not put passwords in JDBC URLs, and clear the temp saved-connections file when connection metadata should not persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that use environment variables, local file read/write, and network/database access, but the skill does not declare permissions for those behaviors. This creates a transparency and least-privilege problem: operators may invoke the skill without realizing it can persist connection metadata, read config files, and connect to remote hosts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior exceeds the declared purpose in several important ways, including persistent storage of connection metadata, YAML-based configuration loading with environment interpolation, interactive saved-connection handling, and execution of batch SQL from files. These hidden or under-declared behaviors increase attack surface and can lead to unintended data exposure or destructive database actions because users may trust the narrow description and invoke the skill in more sensitive contexts than intended.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The docstring states plaintext passwords are never persisted, but the full `url` field is serialized to disk unchanged. If users provide JDBC-style URLs containing embedded credentials, those secrets will be written to the JSON file in the temp directory, exposing database credentials to other local users, processes, backups, or forensic artifacts.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents UPDATE/INSERT/DELETE and transaction examples but does not prominently warn that these operations can modify or destroy production data. In an agent context, operational examples can be copied directly into execution flows, increasing the chance of accidental destructive actions against real databases.

Missing User Warnings

Low
Confidence
77% confidence
Finding
Although passwords are not stored, persisting database URLs, usernames, and driver information in a temp directory can expose sensitive infrastructure metadata to other local users, processes, or logs. The absence of a privacy warning understates the sensitivity of this metadata, especially in enterprise environments where hostnames, usernames, and database types are confidential.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Connection records are persisted automatically to a predictable file in the system temp directory without explicit disclosure or consent at the write site. Even when passwords are not intentionally stored, connection URLs, usernames, labels, and database identifiers can reveal sensitive infrastructure details, and temp directories often have weaker security expectations and cleanup behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal