mongodb-query

Security checks across malware telemetry and agentic risk

Overview

This MongoDB debugging skill is transparent about what it does, but it recommends saving credential-bearing database connection strings in a project notes file.

Install only if you are comfortable giving the agent MongoDB access. Use a least-privilege, preferably read-only database account; avoid root or admin production credentials; do not save full connection strings in TOOLS.md or source control; and verify the Kubernetes namespace/context before using port-forward mode.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly recommends storing full MongoDB connection strings, including usernames and passwords, in `TOOLS.md`. Documentation files are often committed to source control, shared with teammates, indexed by tools, or exposed in logs, so this guidance materially increases the chance of credential leakage and subsequent unauthorized database access.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal