database-toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a transparent database utility that can change real databases, so it is appropriate only for users who intentionally want that capability.

Install only if you want an agent to operate on databases. Use read-only or least-privileged database users where possible, review SQL before writes/deletes, back up important databases first, avoid production root credentials, do not invoke Redis flush operations unless you intend to erase that Redis DB, and pin dependencies in controlled environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The distributed lock is unsafe because it stores a constant value and releases the lock by blindly deleting the Redis key, without verifying that the caller still owns it. If the lock expires and is reacquired by another worker, a stale owner can delete the new owner's lock, breaking mutual exclusion and enabling race conditions, data corruption, or concurrent execution of critical sections.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly advertises direct database update and backup operations, and later shows raw SQL execution and insert examples without enforcing read-only mode, authorization checks, scope limits, or strong irreversible-action warnings. In an agent setting, this materially increases the chance of destructive or unintended modification of local databases, data corruption, bulk exfiltration via backup, or misuse of privileged database access.

Missing User Warnings

High

Confidence: 90% confidence
Finding: Providing an unrestricted flushdb() helper makes it easy for any caller with access to this wrapper to erase the entire selected Redis database. In agent or plugin contexts, such dangerous convenience methods increase the blast radius of misuse, accidental invocation, or abuse by untrusted consumers.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas # MySQL (optional): pymysql sqlalchemy
Confidence: 95% confidence
Finding: pandas

Known Vulnerable Dependency: pandas — 1 advisory(ies): CVE-2020-13091 ( DISPUTED pandas through 1.0.3 can unserialize and execute commands from an)

High

Category: Supply Chain
Confidence: 73% confidence
Finding: pandas

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Overview

SkillSpector

Intent-Code Divergence

Missing User Warnings

Missing User Warnings

Unpinned Dependencies

Known Vulnerable Dependency: pandas — 1 advisory(ies): CVE-2020-13091 (** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an)

VirusTotal

Known Vulnerable Dependency: pandas — 1 advisory(ies): CVE-2020-13091 ( DISPUTED pandas through 1.0.3 can unserialize and execute commands from an)