Virtuoso Product Support

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking Virtuoso support skill, but it gives an agent broad production database authority with incomplete safety boundaries around destructive operations, credentials, and external data sharing.

Review carefully before installing or using this skill on real systems. Use it only with trusted MCP servers, prefer Demo or staging first, require explicit approval before SQL scripts, graph deletion, metadata repair, VAD changes, or URIBurner actions, and avoid pasting passwords, API keys, production data, logs, or local file URLs into the chat unless your organization has approved that data flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installation example gives privileged shell and SQL commands that modify the host and database, including use of sudo and direct password changes, without warning about credential exposure, default-password risk, or operational impact. In an agent setting, users may copy-paste these commands verbatim, leading to insecure deployments, password mishandling, or unintended system changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The troubleshooting example instructs users to shut down the server and restart it in foreground debug mode without warning that this will interrupt service and potentially expose sensitive diagnostic output. In production or shared environments, following these steps can cause avoidable downtime and increase data leakage risk through verbose logs or console traces.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation exposes a tool that can execute arbitrary multi-statement SQL scripts, including schema-changing and data-destructive operations, without an explicit safety warning, confirmation requirement, or stated restriction to read-only usage. In a support agent context, this materially increases the chance that an agent or user will perform irreversible database changes such as DROP, ALTER, or mass UPDATE/DELETE operations based on generated or mistaken instructions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The remote query tools allow arbitrary endpoint URLs and optional API keys but do not warn about outbound data transfer, credential exposure, or SSRF-style access to internal services. In this agent setting, a user prompt or chained tool use could cause sensitive queries, metadata, or secrets to be sent to untrusted external endpoints.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The LLM completion tool accepts raw prompts, file URLs, and API keys without warning that confidential database contents, local documents, or credentials may be transmitted to an external model provider. Because this skill is designed for database support and troubleshooting, operators may paste schemas, queries, logs, or secrets, making unintended data exfiltration especially plausible.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting flow instructs the operator to generate and execute a drop script and then run CLEAR GRAPH against a graph IRI without any warning, confirmation gate, or backup prerequisite. In a support agent with database and RDF administration capabilities, this can directly cause irreversible deletion of mappings and graph data if the wrong target is chosen or if the guidance is followed mechanically.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This section recommends auto-repair, Level 3 audit, and potentially dropping and recreating RDF Views or restoring from backup, but it does not clearly signal that these operations may modify metadata, remove objects, or overwrite recovery state. Because this skill is designed for operational support on live Virtuoso instances, users may apply these steps to production systems and trigger service disruption or data loss.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The VAD guidance tells users to uninstall and reinstall a package without warning that this can remove application components, break dependencies, or temporarily take services offline. In the context of an administrative support skill, such instructions can lead to avoidable outages or configuration loss when executed on active systems.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow explicitly asks users to provide database credentials, including a password, in conversational flow without a secure secret-handling channel or warning. This can lead to credential disclosure in chat logs, agent memory, telemetry, or downstream tool traces, exposing backend databases to unauthorized access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal