TiDB X

Security checks across malware telemetry and agentic risk

Overview

This is a TiDB cloud database guidance skill with normal credential-handling cautions but no hidden or malicious behavior in the artifacts.

Before installing, review the remote SKILL.md or use a pinned version if available. When running the TiDB Cloud examples, treat tidb-zero.json and MYSQL_PWD as secrets: do not commit or share them, delete or unset them when done, and be deliberate about what agent memory or user data you store in the cloud database.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The quick-start flow provisions a database instance and writes the full response, including username and password, to a local file and environment variable without warning about secret handling, file permissions, cleanup, or shell history exposure. In an agent setting, this increases the chance that credentials are logged, persisted, or read by other local processes, which can lead to unauthorized database access during the instance lifetime.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal