ClawHub

PostgreSQL Skill - 高级数据库管理

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PostgreSQL helper skill, but users should treat database credentials and write/admin commands carefully.

Install only if you want agent help with PostgreSQL. Use least-privilege or read-only database accounts where possible, avoid pasting real passwords or full connection strings into chats or logs, confirm the target host and database, and manually approve any UPDATE, CREATE INDEX, backup, restore, or sudo installation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description uses broad activation cues such as mentions of PostgreSQL, Postgres, complex queries, and performance optimization, which can cause the skill to trigger in contexts where the user did not intend database access or SQL generation. In an agent environment, over-broad routing increases the chance of unintended handling of sensitive database-related tasks, including generation of dangerous queries or exposure of operational guidance in the wrong context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows credential handling via environment variables and connection strings containing usernames and passwords, but does not warn users against pasting real secrets into chat, logs, shell history, or shared environments. In a skill designed for database administration, this omission is risky because users are likely to follow the examples directly, increasing the chance of credential leakage and unauthorized database access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal