Security audit

Phy Sql Explainer

Security checks across malware telemetry and agentic risk

Overview

This SQL helper is coherent, but it may run live database analysis commands without enough safety limits.

Install only if you want help analyzing SQL performance. Prefer pasting EXPLAIN output yourself. Before letting an agent connect to a real database, confirm the exact database, use read-only or sandbox access, avoid production when possible, and review any EXPLAIN ANALYZE, ANALYZE, or CREATE INDEX command before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to run EXPLAIN/EXPLAIN ANALYZE when a database is accessible, but it does not warn that this executes the user-supplied query text against a live system. On PostgreSQL, EXPLAIN ANALYZE actually runs the statement, so a pasted query could trigger writes, expensive operations, locks, or side effects if not restricted to read-only SELECT statements and safe environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.