Virtuoso Product Support
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: virtuoso-support-agent Version: 1.0.0 The skill is classified as suspicious due to multiple high-risk capabilities that are vulnerable to prompt injection and potential exploitation, rather than clear malicious intent. Key indicators include: 1) The `EXECUTE_SQL_SCRIPT` and `execute_sql_query` tools (documented in `SKILL.md` and `references/tool-reference.md`) allow the agent to execute arbitrary SQL commands, posing a significant SQL injection/RCE risk if agent instructions for user approval or script modification are bypassed via prompt injection. 2) The `sparqlRemoteQuery` tool (`references/tool-reference.md`) enables querying arbitrary remote SPARQL endpoints with an optional `apiKey`, creating a data exfiltration vulnerability if the agent is tricked into sending sensitive local data to a malicious URL. 3) The `chatPromptComplete` tool (`references/tool-reference.md`) includes a `file_urls` parameter, allowing the agent to read arbitrary files and pass their content to an LLM, which is a critical information disclosure risk via prompt injection against the agent itself. These powerful capabilities, while potentially necessary for the skill's stated purpose, lack robust, unbypassable safeguards against a malicious user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken target instance, graph IRI, or generated SQL script could alter or remove production RDF metadata, graphs, or access rules.
The skill explicitly exposes database script execution, RDF View drop/sync operations, and other mutation-capable tools on a production instance. This is aligned with the database-management purpose and the workflow asks for confirmations, but it is high-impact.
“URIBurner - Production instance” ... “All tools available on both Demo and URIBurner” ... “EXECUTE_SQL_SCRIPT” ... “RDFVIEW_DROP_SCRIPT” ... “RDFVIEW_SYNC_TO_PHYSICAL_STORE”
Before approving any operation, confirm Demo vs. URIBurner, inspect generated scripts, ensure backups or rollback plans exist, and use least-privileged database access where possible.
If those external MCP tools are present, they may create or inspect remote database connections using parameters outside the documented 23-tool reference.
The detailed workflow references additional MCP tools for schema discovery and remote data-source linking that are not part of the main 23-tool list shown in SKILL.md/tool-reference. This appears to be purpose-aligned error recovery, but the actual behavior of those tools is not reviewable from the supplied artifacts.
“Tool: `{Server}:database_schema_objects`” ... “Verify remote DSN: `database_remote_datasources` (command: 'list')” ... “link via `database_remote_datasources` (command: 'link')”Verify the configured MCP servers and tool definitions before using remote data-source linking, and only provide connection details to trusted Virtuoso instances.
A provided API key could authorize access to a remote endpoint or model provider through the configured MCP tool.
The skill can pass API keys to remote SPARQL or LLM-related tools. This is disclosed and no logging, hardcoding, or unrelated credential use is shown, but users should treat those keys as sensitive.
“sparqlRemoteQuery” parameters include “url” and optional “apiKey”; “chatPromptComplete” parameters include optional “api_key”.
Use scoped, revocable keys, avoid sharing long-lived administrator credentials, and confirm the endpoint before providing secrets.
Sensitive database names, query contents, result samples, or credentials could be exposed to remote services if included in those calls.
The skill documents remote endpoint and LLM-style tool calls. These are expected for database/query support, but any prompts, queries, or result excerpts sent through them may leave the local conversation boundary depending on MCP configuration.
“sparqlRemoteQuery — Execute SPARQL against remote endpoint” ... “graphqlEndpointQuery — Execute GraphQL query against specific endpoint” ... “chatPromptComplete — Use LLM for complex reasoning tasks.”
Use only trusted endpoints and avoid sending secrets or sensitive production data through remote query or LLM tools unless that data flow is approved.