Back to skill

Security audit

SQL Database Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill largely matches its SQL analysis purpose, but it gives broad database and file/report authority with weak guardrails and includes unsafe or misleading examples.

Review carefully before installing. Use read-only database accounts where possible, avoid running it against production databases without SQL review, do not export sensitive customer/patient/personnel data unless authorized, and treat generated HTML/JSON/temp database files as potentially sensitive. Avoid copying the unsafe shell and query-termination examples directly, and do not rely on the calendar heatmap output until that implementation is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Intent-Code Divergence

High
Confidence
84% confidence
Finding
The calendar heatmap ignores supplied dates and values and instead generates random data, which can mislead users into trusting fabricated analytics output. In a data-visualization skill, presenting invented results as if they were derived from user data is dangerous because it can drive incorrect operational or business decisions while concealing that input was discarded.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The query() method forwards arbitrary SQL directly to either a live database connector or a local SQLite-backed file connector with no validation or read-only enforcement. In an agent skill context, if untrusted input can reach this method, it enables destructive or state-changing statements such as DROP, UPDATE, INSERT, ATTACH, or database-specific dangerous features against connected systems.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to activate on many generic requests about SQL, data analysis, visualization, reporting, and file handling. This can cause the skill to engage outside the user's intended scope and may lead to unnecessary database access, file processing, or report generation in contexts where a narrower tool should have been selected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises database connectivity, local file ingestion, report generation, and CDN-backed interactive charts without clearly warning users about data exposure, outbound network dependencies, or where outputs may be written. In a data-analysis context, these behaviors can affect sensitive business data and create privacy or compliance risks if users are not explicitly informed before use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide explicitly demonstrates exporting detailed order data containing fields like order_id, customer_name, region, sales, and order_date to HTML and JSON files on disk, but provides no warning about sensitive-data handling, minimization, access controls, retention, or redaction. In a data-analysis/reporting skill, this can lead users to persist customer-related business data in cleartext artifacts that are easy to copy, share, or expose through weak filesystem permissions or downstream distribution.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The document instructs users to load Chart.js from a third-party CDN but does not clearly warn that this causes a network request to an external service and introduces supply-chain, privacy, and availability risk. In a skill that encourages direct execution of HTML/JavaScript for rendering, this omission matters because users may unknowingly run code that depends on remote content outside their trust boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The PostgreSQL example includes `pg_terminate_backend(pid)` to terminate active queries older than five minutes, but it provides no warning that this forcibly interrupts running work and can abort transactions or disrupt legitimate sessions. In a quick-reference document intended for direct use, operators may copy-paste this command without understanding the operational impact, increasing the chance of accidental denial of service or data-processing interruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The MySQL `KILL QUERY <pid>;` example is operationally destructive because it forcibly stops active work, yet the document does not warn about interrupting legitimate queries or transactional operations. Since this is a hands-on CLI cheat sheet, the lack of context makes accidental misuse more likely during production troubleshooting.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill content is entirely written in Chinese and also hard-codes Chinese font settings such as SimHei and Microsoft YaHei without any user opt-in or localization fallback. This can force a language/locale choice on downstream users or agents, reducing usability and potentially causing misinterpretation or inaccessible output for users expecting another language.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrases are broad enough to match many ordinary requests such as asking to 'draw a chart' or 'make a report,' which can cause the skill to trigger outside its intended scope. Over-broad auto-activation increases the chance that unrelated conversations are routed into this skill, potentially causing confusing behavior, inappropriate tool suggestions, or unsafe chaining with SQL/data-processing workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code creates SQLite database artifacts using tempfile.mktemp and writes converted data to disk without any explicit disclosure or safer file-creation pattern. This is dangerous because mktemp is race-prone and temporary databases may persist on disk, exposing sensitive data or enabling file-placement attacks in shared environments.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script overwrites existing .md files if they contain the auto-generated marker, without an explicit confirmation at the moment of the destructive write. In a skill context that generates files into a shared templates directory, this can cause unintended loss of user-edited content or destructive changes if a file is incorrectly marked or if the directory contents are broader than expected.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The insights() method passes the current dataframe into quick_insights() with no indication of whether that helper calls an external AI service or transmits data off-host. In a data-analysis skill, silent transfer of dataset contents can leak sensitive business or personal data, especially because this method is marketed as automatic AI insight generation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template includes doctor performance rankings and named physician examples in a healthcare context without any privacy, minimization, or governance guidance. In real deployments, users may substitute actual staff or operational data, which can expose sensitive personnel performance information and potentially combine with patient-related metrics in a regulated environment.

Unvalidated Output Injection

High
Category
Output Handling
Content
]

def run_hive_query(sql):
    result = subprocess.run(
        f'{HIVE_CMD} "{sql}"',
        shell=True, capture_output=True, text=True
    )
Confidence
98% confidence
Finding
subprocess.run( f'{HIVE_CMD} "{sql}"', shell=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
]

def run_hive_query(sql):
    result = subprocess.run(
        f'{HIVE_CMD} "{sql}"',
        shell=True, capture_output=True, text=True
    )
Confidence
96% confidence
Finding
subprocess.run( f'{HIVE_CMD} "{sql}"', shell=True

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.