ClawHub

db-toolkit

Security checks across malware telemetry and agentic risk

Overview

This database skill is useful and not deceptive, but it needs review because it can automatically read local credential files and run real database-changing operations with limited safeguards.

Install only if you are comfortable letting the agent inspect local database configuration files and connect to real databases. Use least-privilege or read-only credentials where possible, avoid production by default, and require the agent to show the exact host, database, account, and SQL before any insert, update, delete, ALTER, DROP, TRUNCATE, or index change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs scanning `.env`, application config, and ORM files to auto-discover database credentials. That expands scope from database operations into credential harvesting from project files, which can expose secrets the user did not explicitly consent to reveal and may cause the agent to access sensitive material unrelated to the immediate task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The SQLite path interpolates the user-controlled table name directly into PRAGMA statements such as `PRAGMA table_info(${tableName})` and related calls. In SQLite, PRAGMA arguments are SQL-parsed object identifiers/expressions rather than safely bound parameters, so a crafted table name can alter what is inspected and potentially reach SQL-capable behavior beyond intended schema description, which is risky in a tool meant for safe introspection.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions are very broad and include nearly any database-related request, increasing the chance of unintended invocation. In this skill's context, accidental activation is more dangerous because the instructions also encourage real-database access and credential discovery, potentially causing sensitive operations to start without sufficiently clear user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill tells the agent to automatically inspect `.env` and application configuration files for database credentials without a clear warning or opt-in. This is dangerous because those files often contain highly sensitive secrets, and an agent following these instructions may over-collect confidential data beyond what is necessary for the user's request.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill advertises insert, update, delete, and schema-changing operations on real databases but does not consistently require strong warnings or confirmations. In a real-database context, this can lead to unintended destructive actions, data loss, or integrity issues if the skill is invoked too casually or the user intent is ambiguous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes example commands with plaintext database credentials directly on the command line. Command-line arguments are often exposed via shell history, process listings, audit logs, and screenshots, so users may unintentionally leak real database passwords by copying this pattern. In a database operations skill, this is more dangerous because the examples are likely to be used verbatim in real environments with privileged accounts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file includes destructive SQL examples (`DROP TABLE IF EXISTS users;` and `TRUNCATE TABLE users;`) without any warning that they permanently remove data or alter database state. In a skill explicitly designed to help users perform DDL/DML operations, such examples can be copied or surfaced by an agent and executed in real environments, increasing the chance of accidental data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document includes destructive SQL operations such as DELETE and TRUNCATE as ready-to-use examples without any warning about irreversible data loss, transactional safeguards, backups, or the need for restrictive WHERE clauses. In a database operation skill, users may copy these commands directly, increasing the chance of accidental mass deletion or schema-impacting misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows database passwords being passed directly on the command line in example invocations. Command-line arguments can be exposed through shell history, process listings, terminal logs, and CI output, so readers may copy this unsafe pattern and inadvertently leak credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference includes destructive SQLite DML examples such as deleting all rows and resetting the autoincrement sequence without any warning, scope limitation, or emphasis on backups/transaction safety. In a database-operation skill, users may copy these commands directly into production contexts, causing irreversible data loss or corruption of operational state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The performance section recommends dropping and recreating an index for bulk import without warning that this is a schema-altering operation that can degrade availability, block queries, and fail if not properly restored. Because this skill is intended for live multi-database operations, readers may apply the snippet directly and unintentionally disrupt application behavior or leave the database in a degraded state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage examples encourage passing database passwords on the command line, which commonly exposes credentials through shell history, process listings, audit logs, and orchestration tooling. Because this skill is explicitly for live database access, those examples normalize insecure credential handling in a high-value context and increase the chance of credential leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal