ClawHub

sql-reports

Security checks across malware telemetry and agentic risk

Overview

This SQL reporting skill is related to its stated purpose, but it embeds database credentials and can return broader business data than the documentation suggests.

Review before installing. Only use this skill if you control the referenced SQL Server account, have rotated or removed the exposed password, and have confirmed the database target and report commands are limited to the intended data. The clean static scan and pending VirusTotal status do not remove the artifact-backed credential and scoping concerns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code hardcodes a SQL Server connection string with a username and plaintext password directly in source. Embedded credentials are easily exposed through source control, logs, backups, or package distribution, and can allow unauthorized access to the database and any data reachable by that account. The skill context makes this more dangerous because it is operational code that directly connects to a production-like database host using a named service account.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "do report" is overly generic and can easily match ordinary user requests unrelated to this skill, causing unintended invocation. In this context, accidental activation is more concerning because the skill executes a Python script that appears to query SQL-backed delivery order data, so misrouting user input could expose internal business information or trigger unauthorized reporting actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal