ClawHub

DB Readonly

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, disclosed database query/export helper, with the main risk being where users choose to write exported results.

Install only if you will use a dedicated read-only database account. Review each query before execution, avoid write-capable or admin database credentials, and export only to safe paths because --out can overwrite files the current user can write.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as read-only for database access, but `--out` enables writing query results to any local filesystem path. In an agent context, this broadens the capability from data inspection to arbitrary local file creation/overwrite, which can be abused to plant files, clobber existing files, or stage data for later misuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
At this code path, PostgreSQL query output is redirected to an arbitrary path supplied by the caller. For a skill whose stated purpose is read-only SQL execution, unrestricted local file writes are not necessary and create a separate attack surface that could overwrite sensitive agent-accessible files or drop data into locations consumed by other tools.

Missing User Warnings

Low
Confidence
91% confidence
Finding
This finding correctly notes that the script writes PostgreSQL query results to a caller-controlled output path without warning or confirmation. While overlapping with SDI-2, it is still a real issue because silent local file creation in an agent skill can surprise users and be chained into broader misuse even if the database query itself is read-only.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The MySQL branch has the same issue as the PostgreSQL path: caller-controlled query output can be redirected to any local file path. In isolation this is a low-severity file-write primitive, but in an automation or agent environment it can facilitate unauthorized persistence, overwriting user files, or depositing sensitive database contents on disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal