Back to skill

Security audit

Archery SQL Query

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Archery database helper, but it exposes saved login cookies and gives broad database-query capability that deserves manual review before use.

Install only if you are comfortable giving the skill access to Archery and any databases reachable through that account. Use a least-privilege, preferably read-only Archery user, avoid production unless explicitly approved, protect ~/.archery/config.json and ~/.archery/cache/session.json, and do not run the cookie-printing commands or paste their output into chats, logs, or tickets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities that read and write local files, invoke shell commands, use network access, and rely on environment context, but it does not declare permissions or boundaries for those actions. In a database-query skill, this increases the chance of unintended credential exposure, unsafe command execution, or overbroad access because users and hosts cannot assess or constrain what the skill is allowed to do.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The CLI exposes capabilities beyond the stated skill purpose by including login and cookie-inspection commands in addition to database querying. In an agent skill context, this broadens the attack surface and enables credential/session handling features that are not necessary for read/query workflows, increasing the chance of misuse or secret exposure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `cookies` command prints saved session cookies, which are bearer-style authentication artifacts that can be reused to impersonate the user against the Archery service. Exposing them through normal CLI output creates a direct credential disclosure path via terminal history, logs, agent transcripts, or downstream tooling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script stores credentials and reusable session state under the user's home directory, which expands the skill from transient database querying into local secret persistence. If filesystem permissions are weak, the host is shared, or other tools can read these paths, Archery credentials or authenticated session tokens could be exposed and reused for unauthorized database access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes arbitrary SQL execution and broad database exploration across TiDB, MySQL, and StarRocks, but it does not warn about handling sensitive data, limiting scope, avoiding production systems, or restricting destructive queries. In the context of an agent skill, this increases the chance that users or downstream agents run unsafe queries against real environments, causing data exposure, heavy-load incidents, or unintended access beyond least privilege.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description is very broad and covers generic database-related requests, making accidental invocation more likely in situations where the user did not intend this skill to access live databases or metadata. In this context, over-triggering is risky because the skill can perform networked database operations and expose schema, data samples, or operational information beyond the principle of least surprise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports finding duplicates and generating DELETE statements, but the documentation does not prominently warn that the generated SQL is destructive and can permanently remove production data if the duplicate logic or target selection is wrong. This is more dangerous in a database administration skill because users may treat generated statements as safe automation and execute them against live systems without an approval checkpoint or preview workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to store Archery credentials, including a plaintext password, in `~/.archery/config.json` without any warning about the risk of local credential theft, backup leakage, or safer alternatives. Although file permission hardening is mentioned later, it does not eliminate exposure from compromised user accounts, accidental copying, or insecure endpoint backups, making this a real security weakness in credential handling guidance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI exposes stored session cookies without any warning, confirmation, or redaction, making accidental disclosure likely in automated environments. In a skill/agent setting, stdout is often captured in logs or returned to users, so revealing session material is especially dangerous and can enable account takeover.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client persists authenticated session cookies to a plaintext JSON file on disk, which can allow local users, malware, backups, or other processes with filesystem access to reuse the Archery session without needing credentials or 2FA. In a database-query skill, stolen session cookies can directly expose database metadata and query capabilities, making this more dangerous than a generic web session helper.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The wrapper reads database credentials from disk and exports them into process environment variables before launching another process. Environment variables are commonly inherited by child processes and may be exposed through debugging, crash reporting, process inspection in some environments, or accidental logging, which broadens credential exposure beyond the minimum necessary scope.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script silently loads stored credentials from ~/.archery/config.json, reuses session state, and performs authenticated network operations to the configured Archery server without an explicit consent or visibility step at runtime. In an agent-skill context, this increases the risk of unintended use of local secrets and sending potentially sensitive SQL metadata or query results to a remote service the user may not realize is being contacted.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
return 1

    os.environ["ARCHERY_USERNAME"] = username
    os.environ["ARCHERY_PASSWORD"] = password

    server_path = Path(__file__).with_name("archery_mcp_server.py")
    os.execvp("python3", ["python3", str(server_path)])
Confidence
90% confidence
Finding
os.environ["ARCHERY_PASSWORD"]

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
Confidence
97% confidence
Finding
requests>=2.28.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.