ClawHub

databricks-helper

Security checks across malware telemetry and agentic risk

Overview

This Databricks skill matches its stated purpose, but it can directly affect live jobs and expose sensitive run output, so it needs review before installation.

Install only if you trust the agent with Databricks access. Use a least-privilege token, keep DATABRICKS_ALLOW_WRITE_SQL unset unless you truly need write SQL, and manually confirm any job trigger, retry, cancellation, or log/output request before allowing execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The tool advertises run-sql as read-only, but a simple environment flag disables the read-only guard and permits write/DDL statements. In an agent-skill context, this increases risk because an operator or calling environment may unknowingly enable destructive SQL execution, allowing data modification, privilege changes, or schema changes through a tool expected to be safe for inspection only.

Vague Triggers

Low
Confidence
90% confidence
Finding
The trigger phrase "what failed this morning" is broad enough to match ordinary conversation that does not explicitly reference Databricks. In an agent environment, overly broad triggers can cause unintended skill invocation, exposing Databricks workspace metadata or enabling operational actions like reruns/cancellations when the user did not intend to use this skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The run-details command fetches and prints job output, logs, and notebook results directly to stdout, which can expose secrets, personal data, internal paths, tokens, SQL text, or other sensitive operational data. In an agent setting, stdout is often captured, relayed, summarized, or stored, which amplifies the chance of unintended disclosure beyond the original Databricks audience.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal