Security audit

postgres-tool

Security checks across malware telemetry and agentic risk

Overview

This PostgreSQL admin skill is mostly coherent, but it needs review because it can change or delete database data and has misleading safety and configuration details.

Install only after reviewing the database config and safety behavior. Replace the bundled credentials, use a least-privilege database account, verify each SQL statement manually, avoid --force unless intentionally automating a tested operation, and treat backup/export files as sensitive. Do not rely on --dry-run for UPDATE or DELETE unless the implementation is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documentation says only SELECT queries are allowed by default, but elsewhere it instructs direct execution of arbitrary SQL and explicitly supports UPDATE and DELETE, including a force mode. This inconsistency can mislead users and agents into assuming read-only behavior while the tool can perform destructive database changes.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The evaluation set uses broad natural-language prompts with minimal trigger boundaries, so the skill may be considered applicable in a wide range of database-related conversations without clear limits. For a database-management skill, this increases the chance of over-triggering in contexts involving sensitive data access or destructive SQL operations, and weakens assurance that the skill will only activate when the user explicitly intends PostgreSQL actions.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The safety guide is entirely in Chinese for a PostgreSQL administration skill that documents dangerous UPDATE/DELETE workflows, confirmations, backup handling, and restore procedures. If operators cannot read the guide, they may misunderstand or bypass safety controls such as confirmation requirements, force-mode warnings, and recovery steps, increasing the likelihood of destructive database actions.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 用于离线安装：pip install --no-index --find-links=dependencies -r requirements.txt # 注意：版本号必须与 dependencies/ 目录中的 wheel 文件匹配 psycopg2-binary>=2.9.11 pandas>=2.0.0 openpyxl>=3.1.5 numpy>=1.24.0
Confidence: 91% confidence
Finding: psycopg2-binary>=2.9.11

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 注意：版本号必须与 dependencies/ 目录中的 wheel 文件匹配 psycopg2-binary>=2.9.11 pandas>=2.0.0 openpyxl>=3.1.5 numpy>=1.24.0 python-dateutil>=2.8.0
Confidence: 93% confidence
Finding: pandas>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: psycopg2-binary>=2.9.11 pandas>=2.0.0 openpyxl>=3.1.5 numpy>=1.24.0 python-dateutil>=2.8.0 tzdata>=2023.0
Confidence: 93% confidence
Finding: openpyxl>=3.1.5

Unpinned Dependencies

Low

Category: Supply Chain
Content: psycopg2-binary>=2.9.11 pandas>=2.0.0 openpyxl>=3.1.5 numpy>=1.24.0 python-dateutil>=2.8.0 tzdata>=2023.0 et-xmlfile>=1.1.0
Confidence: 92% confidence
Finding: numpy>=1.24.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas>=2.0.0 openpyxl>=3.1.5 numpy>=1.24.0 python-dateutil>=2.8.0 tzdata>=2023.0 et-xmlfile>=1.1.0
Confidence: 88% confidence
Finding: python-dateutil>=2.8.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: openpyxl>=3.1.5 numpy>=1.24.0 python-dateutil>=2.8.0 tzdata>=2023.0 et-xmlfile>=1.1.0
Confidence: 87% confidence
Finding: tzdata>=2023.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: numpy>=1.24.0 python-dateutil>=2.8.0 tzdata>=2023.0 et-xmlfile>=1.1.0
Confidence: 88% confidence
Finding: et-xmlfile>=1.1.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.