databricks-helper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s Databricks behavior is coherent and disclosed, but it uses a Databricks token and can start, retry, or cancel jobs, so users should limit permissions and confirm high-impact actions.
Install only if you are comfortable letting the agent use a Databricks token for the configured workspace. Use a least-privilege token, verify DATABRICKS_HOST, keep DATABRICKS_ALLOW_WRITE_SQL unset unless you truly need writes, and manually confirm job run/retry/cancel actions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could start expensive jobs, retry failed workflows, or cancel active production runs.
The skill intentionally exposes Databricks job mutation operations, including starting, retrying, and canceling runs. This is purpose-aligned but high impact if invoked on production jobs.
Starts a new run or reruns failed tasks via the Jobs Repair API. ... Calls `jobs/runs/cancel` with safety checks and prints confirmation.
Use least-privilege Databricks credentials and require explicit user confirmation for run, retry, cancel, or write-SQL actions.
The agent can act with whatever Databricks permissions the configured token has.
The skill relies on a Databricks personal access token and may use privileges that can read workspace metadata, execute SQL, and manage job runs.
`DATABRICKS_TOKEN` — personal access token ... Requires CAN_VIEW for read operations, CAN_MANAGE_RUN to trigger/cancel/repair runs, and SQL warehouse access.
Provide a scoped token or service principal with only the Databricks permissions needed, avoid admin tokens, and rotate the token if it is exposed.
Users relying only on registry metadata may not realize the skill needs a Databricks token and significant workspace permissions.
The registry metadata does not declare the source/provenance or the Databricks credential requirements, even though the documentation does disclose them.
Source: unknown; Homepage: none ... Env var declarations: none ... Primary credential: none
Review the SKILL.md/README before installing, verify the code source where possible, and update metadata to declare required env vars and credentials.
Log messages or table samples could expose sensitive business data in the chat, and arbitrary text in results should not be treated as instructions.
The skill can bring Databricks logs and table rows into the agent conversation. That is expected, but those outputs may contain sensitive data or untrusted text.
"show detailed logs for run 123" ... "preview table main.bronze.events" ... "Catalog + SQL commands return textual lists or tabular results."
Query only needed data, avoid previewing sensitive tables, redact secrets from logs, and treat returned rows/logs as data rather than commands.