ClawHub

ClickHouse

Security checks across malware telemetry and agentic risk

Overview

The skill is a real ClickHouse connector, but it presents SQL execution as read-only even though it may change database state.

Install only if you are comfortable letting the agent run ClickHouse SQL through your OOMOL-connected account. Before use, require explicit confirmation for any execute_query call unless the SQL is clearly read-only, and prefer a database user with read-only permissions if the skill is only needed for exploration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest and description frame the skill as only for 'searching and reading data', but the documented `execute_query` action can run arbitrary SQL. That mismatch can cause an agent or user to treat the skill as read-only and invoke it without the safeguards normally applied to write-capable database tools, enabling unintended modification or destructive queries.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The safety section says untagged actions are reads and safe to run directly, yet `execute_query` is untagged despite accepting arbitrary SQL. This creates a direct unsafe-execution path where an agent may run modifying statements without confirmation because the documentation incorrectly labels the capability as safe.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase says to use this skill for ANY ClickHouse request, which is broader than the skill's advertised safe scope and can steer agents away from safer, more constrained alternatives. In context, that broad routing is more dangerous because the skill exposes arbitrary SQL execution under a read-oriented description.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal