Back to skill

Security audit

Alibabacloud Emr Starrocks Assistant

Security checks across malware telemetry and agentic risk

Overview

This StarRocks operations skill is mostly purpose-aligned, but it needs review because it can install tooling, persist database credentials, and attempt environment-based login before explicit user approval.

Install only if you are comfortable letting an agent operate against your StarRocks environment. Use a least-privilege database account, avoid preloading SR_PASSWORD unless you want non-interactive login, review and remove ~/.starrocks profiles when done, and do not copy the inline credential or HTTP remote-code examples into production without replacing them with secure secret handling and trusted artifact sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill exposes significant capabilities—shell execution, file access, environment access, and network connectivity—while its declared metadata only lists allowed tools and does not clearly communicate the full effective permission surface. This mismatch can mislead reviewers and users about what the skill can actually do, reducing informed consent and increasing the chance that sensitive local state, credentials, or network endpoints are touched unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description frames the skill as an assistant for development and diagnostics, but the body authorizes materially more sensitive behavior: local credential storage, arbitrary SQL execution including mutating statements, grant introspection, profile deletion, and external network calls for connectivity diagnostics. That gap is dangerous because users may consent to advisory help without realizing the skill can perform state-changing database operations and persist secrets locally.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The UDF section shows how to register executable Java code from a remote JAR URL, which enables code execution inside the StarRocks environment. In a documentation skill focused on SQL development and operations, exposing remote code-loading without strong trust, integrity, and privilege warnings materially increases the risk of users deploying untrusted code into the cluster.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The documentation states that rerunning sr-login silently overwrites the stored credential for a profile, but it does not place a clear warning beside that behavior. Silent replacement can cause accidental credential loss, connection to the wrong cluster, or unintended use of another account, especially in multi-profile environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes credential-bearing configuration examples for OSS and other cloud providers without an explicit warning about secret handling, rotation, least privilege, and avoiding hardcoded credentials. In an assistant skill context, users may copy these patterns directly into chats, scripts, notebooks, or repos, increasing the chance of credential leakage and unauthorized access to cloud storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows cloud storage access credentials as inline SQL parameters, including access key ID and secret fields, without any warning not to hardcode real secrets or guidance to use safer credential mechanisms. In a data-platform assistant, users commonly copy examples directly into worksheets, logs, tickets, or shared notebooks, so this pattern can lead to credential exposure through query history, monitoring systems, screenshots, and source control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Pipe continuous-ingestion example again embeds cloud storage credentials directly in the statement and provides no caution about long-lived secret exposure. This is especially risky for a long-running ingestion object because the statement may persist in metadata, administrative views, logs, or monitoring surfaces, increasing the chance that credentials are retained and disclosed over time.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document includes a copy-pastable SASL/JAAS example with a plaintext username and password and no warning that these values are sensitive placeholders. In an operational assistant focused on data ingestion and cluster connectivity, users may paste real credentials into SQL or documentation-derived configs, increasing the risk of credential leakage through source control, shared docs, screenshots, logs, or query history.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation repeatedly demonstrates Stream Load requests over plain HTTP and includes examples with inline basic-auth credentials and local file uploads. This can expose database credentials and ingested data to interception or misuse on untrusted networks, and the use of `--location-trusted` can further propagate credentials during redirects; in an ops assistant context, users may copy these commands directly into production workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The FILES() example includes inline AWS access and secret keys, normalizing the practice of embedding cloud credentials directly in SQL text. This can lead to credential leakage via query logs, history, screenshots, notebooks, shared scripts, or audit systems, especially in collaborative data platforms.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The scalar UDF registration example loads a JAR over plain HTTP and gives no warning about authenticity or integrity. This creates a direct supply-chain and man-in-the-middle risk, where a tampered artifact could be executed by the database cluster with the permissions of the StarRocks runtime.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The aggregate and table UDF examples similarly encourage fetching and executing remote JARs without warning that this introduces arbitrary code into the cluster. Because these examples are operationally actionable, they lower the barrier to unsafe deployment of external code and can result in cluster compromise, data access, or service disruption.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code makes an outbound request to ipinfo.io to determine the user's public egress IP without prior explicit user notice or consent at the time of the lookup. Even though only the caller's source IP is exposed, that is still network-identifying information sent to a third party and may violate privacy, compliance, or sandbox/network-isolation expectations in enterprise environments.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
When this Skill is invoked and you anticipate running any cluster query, ensure `srsql` is available *before* asking the user for anything:

1. Run `which srsql`. If it returns a path, skip to step 4.
2. If missing, install it yourself: `uv tool install <skill-project-root>` where `<skill-project-root>` is the directory containing this `SKILL.md` and `pyproject.toml` (the Skill's base directory shown at invocation time; commonly `~/.claude/skills/alibabacloud-emr-starrocks-assistant/`, which may be a symlink). **Do not ask the user to run this** — the bundled CLI is part of the Skill's capability surface, not user infrastructure.
3. If `uv` itself is missing (`which uv` fails), surface that to the user — `uv` is a system tool and not auto-installed.
4. Check `~/.starrocks/{profile}.cnf` (default profile name: `default`; respect `SR_PROFILE` env var if set). If it exists, skip to step 5. If missing:
   - **First try `sr-login --from-env`.** Safe to call unconditionally — it exits 2 with a clear "missing" message when the environment doesn't have the credentials it needs, and does nothing else. You do not need to inspect environment variables yourself.
Confidence
90% confidence
Finding
Do not ask the user

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.