ClawHub

SQL Master

Security checks across malware telemetry and agentic risk

Overview

This SQL/data skill is mostly coherent, but it gives an agent broad database, file, and local Python execution authority without enough guardrails.

Install only if you are comfortable letting the skill access local datasets and database credentials. Use read-only database accounts by default, review every SQL statement before execution, avoid loading pickle files unless fully trusted, and send exports only to known safe paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents file read/write capabilities, database access, and export behavior, but the metadata shown here does not declare corresponding permissions. That creates a governance gap: users and the platform may authorize the skill based on an incomplete trust boundary, while the documented workflows include local file ingestion and artifact generation that can expose or overwrite data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is a SQL assistant, but the documentation expands behavior into broad local file ingestion, format conversion, report generation, orchestration with other skills, and additional database connectors. This mismatch weakens user consent and reviewability because a user selecting a SQL helper may unknowingly grant a much wider data-processing surface, including handling sensitive local datasets and generating artifacts.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation says file-based data access is unavailable in no-dependency mode, but later presents active local file loading, querying, and export flows without clearly preserving that restriction. This inconsistency can mislead users or integrators into assuming safety properties that do not hold, increasing the chance of unintended local data access or processing in environments that were expected to be constrained.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The restricted-mode section states database connection and SQL execution are unavailable, but later examples show direct connection and execution APIs without restating that they require dependency-enabled or privileged operation. That ambiguity can cause operators to misconfigure the skill or expose database access in contexts where they believed execution was disabled.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The pickle loader uses pandas.read_pickle on attacker-controlled files, which can execute arbitrary code during deserialization. In a skill that accepts local files for SQL/data operations, this greatly increases risk because a user or upstream agent may treat the connector as a generic file reader and unknowingly trigger code execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The transform method accepts and executes an arbitrary callable against the current DataFrame, which means any caller able to influence that function can run general Python code, not just data transformations. In an agent-skill context, this breaks the declared SQL-only boundary and can enable filesystem access, network access, subprocess execution, or data exfiltration through a seemingly harmless pipeline API.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code mutates sys.path at runtime and imports charts from a sibling skill directory if present. This creates a code-loading boundary violation: an attacker who can place or modify files in that sibling path may cause unintended code execution when visualization is invoked.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The multi-chart path repeats the same unsafe dynamic import pattern, inserting sibling directories into sys.path and importing charts at runtime. This expands the attack surface because report/chart generation can execute attacker-controlled Python code if the filesystem layout is influenced.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code prepends sibling skill directories to sys.path at runtime, altering Python's import resolution globally for the process. If an attacker can place or modify files in those directories, later imports such as charts, interactive_charts, ai_insights, file_connector, or database_connector can be hijacked, leading to arbitrary code execution during import or method invocation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The PostgreSQL quick reference includes a command to terminate backend sessions based on runtime without any warning, scoping guidance, or recommendation to verify the target workload first. In a production-focused SQL skill, this can cause unintended denial of service, kill legitimate long-running jobs, and disrupt transactions if copied blindly by users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The MySQL section documents SET GLOBAL changes to slow query logging and KILL QUERY without warning about server-wide impact, required privileges, persistence behavior, or the risk of terminating critical workloads. Because this skill targets production SQL operations, users may apply these commands directly and inadvertently affect service availability, observability settings, or active business transactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal