Security audit

pg-copilot

Security checks across malware telemetry and agentic risk

Overview

This PostgreSQL assistant is not clearly malicious, but it has powerful database, synchronization, and external-LLM access with weak scoping and unsafe secret-handling practices.

Review carefully before installing. Use only with dedicated least-privileged database accounts, avoid production data until tested, take backups before enabling sync or partition operations, and assume updates and deletes can propagate to targets. Do not pass passwords or API keys on the command line; prefer environment variables or a real secret manager. Configure external LLM endpoints only if SQL text and schema details are allowed to leave your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Tainted flow: 'req' from os.environ.get (line 258, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method='POST' ) with urllib.request.urlopen(req, timeout=30) as response: result = json.loads(response.read().decode('utf-8')) return result['choices'][0]['message']['content'], None
Confidence: 94% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as response:

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The code labels password handling as encryption, but it merely Base64-encodes secrets before storing them in config. This provides no real confidentiality, so anyone with filesystem access can trivially recover database passwords and remote sync credentials.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation presents SQL execution and real-time synchronization as routine features without clearly warning that these operations can modify, overwrite, or delete user data. In a database administration skill, this omission is dangerous because users may trigger high-impact actions under the assumption that the tool is inherently safe.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documented configuration command passes database credentials directly on the command line, which can expose secrets through shell history, process listings, audit logs, and terminal recordings. This is a common credential-handling flaw that can lead to unauthorized database access if local system users or monitoring tools capture the arguments.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The LLM setup example shows an API key provided as a command-line argument, exposing it to shell history and process inspection just like database passwords. Leakage of the API key can allow unauthorized third-party use, billing abuse, and indirect access to sensitive prompts or data sent to the external model provider.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The sync feature documentation describes trigger-based change propagation but does not explicitly warn that destructive operations such as DELETE or faulty UPDATE statements can be replicated to the target database. Because this is real-time synchronization between production-like systems, omissions here materially increase the risk of large-scale data loss or corruption across multiple databases.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest advertises broad, high-risk database capabilities including SQL execution, schema discovery, performance analysis, partition management, and real-time synchronization, but it provides no explicit activation boundaries, least-privilege constraints, or user-confirmation requirements. In an agent ecosystem, this kind of unrestricted scope increases the chance that the skill is invoked for sensitive or destructive operations without adequate policy gating, especially because it targets production-oriented database workflows.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The LLM helper constructs prompts containing SQL and optional schema information, then transmits them to an external API without a warning, consent flow, or data minimization. In a database assistant context, those prompts may contain sensitive table names, business logic, tenant identifiers, or confidential query text, making silent exfiltration especially risky.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The synchronization feature copies row-level data, including inserts, updates, and deletes, to remote PostgreSQL/MySQL systems. This is intentional functionality, but without strong disclosure, destination validation, and access controls it materially increases the risk of bulk data exfiltration or unauthorized replication of sensitive records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.