ClawHub

MongoDB Admin Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only MongoDB administration reference; it includes powerful commands that can damage data if misused, but the behavior matches its stated purpose and shows no hidden execution or exfiltration.

Install only if you want the agent to help administer MongoDB. Before running any command from this skill, confirm the host, database, collection, credentials, backup state, and whether the target is production; avoid putting real passwords in shell-visible connection strings; require explicit approval for drop, restore/import, user/role, replica set, maintenance, and backup-deletion operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents destructive commands such as dropping a database and collection without any explicit warning, confirmation step, or guidance to verify the target environment first. In an admin skill intended for real MongoDB instances, this omission materially increases the chance of accidental irreversible data loss, especially if an agent or operator copies commands into production.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Restore and import operations can overwrite, duplicate, or otherwise alter existing data, yet the skill presents them as routine commands without warning about preexisting contents or environment targeting. In a database administration context, this can lead to integrity loss or service disruption if executed against the wrong database or without staging verification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The automated backup script permanently deletes old backup directories with rm -rf based only on age, without warning users that historical recovery points will be removed. In a backup workflow, silent retention deletion increases the risk that operators discover too late that needed restore points are gone, undermining recovery and incident response.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes disruptive maintenance and replica set commands such as rs.stepDown(), forced reconfiguration, compact, repair, reIndex, and cleanup operations without warning about downtime, election events, locking, or cluster instability. Because this skill is explicitly for MongoDB administration and covers production-oriented tasks, omission of service-impact warnings makes accidental operational outages significantly more likely.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal