Back to skill

Security audit

Data Migration Helper / 数据迁移助手

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for database migration work, with no malware signal, but users should treat its migration and rollback guidance as high-impact operational advice.

Before installing, review any external links and require backups, staging validation, exact command review, and explicit confirmation before running migrations or rollbacks against production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Low
Confidence
97% confidence
Finding
The skill documentation includes unrelated promotional links and affiliate-style advertising that are not necessary for database migration functionality. In an agent skill context, unrelated outbound links increase supply-chain and social-engineering risk by encouraging users or downstream agents to trust or visit external resources outside the declared purpose of the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill claims to plan and execute database migrations with rollback support, but it does not warn that migrations and rollbacks can modify, destroy, or expose user data if misapplied. Missing safety guidance can cause operators or autonomous agents to run destructive schema or data operations without backups, approval gates, or environment checks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.