ClawHub

SQL Connector

Security checks across malware telemetry and agentic risk

Overview

This is a real SQL Server connector, but it needs Review because it can give an agent broad database read/write power with weak scoping and under-disclosed credential handling.

Install only if you intentionally want agents to access SQL Server. Use a dedicated least-privilege account, prefer read-only credentials unless writes are required, keep .env out of repositories and shared workspaces, pin reviewed dependency versions, and require human approval for INSERT, UPDATE, DELETE, migration, or cross-backend copy operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation exposes environment-based credential use and installation/usage patterns, but it does not declare permissions for access to environment variables or shell-related capability despite clearly depending on them. In an agent ecosystem, undeclared capabilities weaken transparency and policy enforcement, making it easier for a skill to access sensitive secrets or invoke installation flows without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
72% confidence
Finding
The documented purpose describes a generic execute/query/scalar SQL transport, but the detected behavior includes dynamic backend resolution from environment variables and an additional connectivity/self-test capability that are not disclosed. That mismatch increases risk because operators may approve the skill for limited DB access while it can select arbitrary configured targets or perform network-reachability actions outside the stated interface.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation says the skill is 'stable, production-ready', 'battle-tested', and 'used in production daily' while the manifest explicitly labels it ALPHA and warns 'use at your own risk'. This mismatch can cause operators to deploy immature database connectivity code into production with unjustified trust, increasing the chance of outages, unsafe handling of credentials, or misuse of write-capable APIs.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The README presents the package as 'STABLE' and 'Battle-tested in production' while the skill metadata explicitly says 'ALPHA: use at your own risk.' This can mislead users and automated agents into assigning unjustified trust, increasing the likelihood that they deploy immature code in sensitive environments without sufficient review or safeguards.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The versioning section repeats claims that releases are stable, production-ready, and thoroughly tested, directly conflicting with the manifest's ALPHA warning. Such contradictory trust signaling is dangerous in a database connector because agents may grant broad access to live databases based on inaccurate maturity claims.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide instructs users to place SQL usernames and passwords in a workspace .env file and even shows realistic plaintext password examples, but it does not warn against committing the file, exposing it to other agents, or storing long-lived production credentials in plaintext. In an agent workspace context, this is especially risky because shared working directories, logs, backups, and repository sync can leak secrets and enable unauthorized database access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples perform INSERT and UPDATE operations against production-style tables such as memory.Memories without clear warnings that they mutate persistent data. Users may copy-paste these examples into real environments, causing unintended data modification, corruption of agent memory state, or writes against production databases during testing.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation advertises write-capable methods like execute() for INSERT/UPDATE/DELETE without prominently warning that they can alter or destroy database data. In an agent skill context, this is more dangerous because autonomous or semi-autonomous consumers may invoke the skill based on examples alone and unintentionally perform destructive operations against real databases.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown explicitly demonstrates write operations and lists required database credential variables, but it does not warn that the skill can modify persistent data or that the environment variables contain sensitive secrets. In agent-driven contexts, omission of these warnings can lead to unsafe use, accidental destructive writes, or careless handling of high-value DB credentials.

Credential Access

High
Category
Privilege Escalation
Content
def _find_env() -> str | None:
    p = _pathlib.Path(os.path.abspath(__file__)).parent
    for _ in range(5):
        c = p / '.env'
        if c.exists():
            return str(c)
        p = p.parent
Confidence
82% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
_env_loaded = False

def _ensure_env_loaded() -> None:
    """Load .env once, lazily, on first connector creation."""
    global _env_loaded
    if not _env_loaded:
        _env = _find_env()
Confidence
88% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
pymssql>=2.2.0
python-dotenv>=1.0.0
Confidence
87% confidence
Finding
pymssql>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pymssql>=2.2.0
python-dotenv>=1.0.0
Confidence
93% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
76% confidence
Finding
python-dotenv

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal