ClawHub

sqlite-reader

Security checks across malware telemetry and agentic risk

Overview

This SQLite reader is not clearly malicious, but its query mode can modify databases despite being presented as a read-oriented inspection tool.

Install only if you are comfortable giving the skill access to local SQLite contents. Use it on copies of important databases, run only SELECT-style queries, and avoid exporting sensitive OpenClaw memory or user data unless you control the output path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises creation of a Python script that can export data to CSV/JSON, which implies file-write capability, but no permissions are declared. Undeclared write behavior weakens reviewability and can lead operators to grant or execute the skill without understanding that it may create or overwrite local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is described as a SQLite reader for inspection and basic SELECT queries, but the content says it can execute arbitrary SQL queries and export results. If implemented as described, arbitrary SQL against SQLite can modify or delete data, attach other databases, invoke write-affecting pragmas, or otherwise exceed the expected read-only scope, making the mismatch dangerous because users may trust it as safe for inspection only.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description emphasizes inspection/querying, but the implementation also writes data to an arbitrary CSV path. While CSV export may be a legitimate convenience feature, it expands the capability from read-only inspection to filesystem modification, which can surprise callers and violate least-privilege expectations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code executes arbitrary SQL supplied via --query without enforcing read-only SELECT semantics, even though the skill is presented as a database reader. In SQLite, this allows destructive or state-changing statements such as DROP, DELETE, UPDATE, ATTACH, or PRAGMA-based modifications, turning a read utility into a database modification primitive.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The CSV export feature writes to any caller-supplied path, which can overwrite files or create new files on the local system without guardrails. In this skill's context the risk is lower than arbitrary command execution, but it still introduces unintended local side effects inconsistent with a nominally read-oriented tool.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal