ClawHub

querydb-skill

Security checks across malware telemetry and agentic risk

Overview

This database skill exposes live-looking database credentials and includes unguarded write-capable SQL execution, so it needs review before installation.

Only install after removing and rotating the exposed database credentials, replacing examples with placeholders or secure secret loading, using read-only database accounts by default, and adding explicit user confirmation for exports or any non-SELECT SQL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a database query helper, but the documentation shows substantially broader behavior: generating test cases, exporting JSON, and even claims support for database write operations. This mismatch can cause the agent or user to invoke a more powerful skill than intended, increasing the chance of unauthorized data modification or exfiltration under a seemingly safe description.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation contains hardcoded host, database name, username, password, and real tax identifier data for a live test environment. Exposing usable credentials in a skill file enables immediate unauthorized database access, data theft, tampering, and pivoting, and the database-focused context makes the secret directly actionable rather than theoretical.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is presented as query-oriented, but DatabaseClient exposes a generic execute() method that allows INSERT/UPDATE/DELETE with commit. In an agent-skill context, undocumented write capability is dangerous because an LLM or user could be induced to perform destructive or unauthorized database modifications under the guise of a read-only operation.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The class is documented as a general query client, yet it supports arbitrary SQL execution including mutating statements. This mismatch increases the chance that operators, orchestration layers, or downstream agents will trust it as read-only and accidentally permit harmful state-changing actions against production data.

Missing User Warnings

High
Confidence
98% confidence
Finding
Displaying real connection details and credentials without warnings, masking, or consent flow exposes sensitive infrastructure information directly to anyone who can read the skill. Because this skill's core purpose is database connectivity, the leaked details are immediately exploitable for unauthorized querying of potentially sensitive invoice and taxpayer data.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Hardcoded live-looking database host, username, password, and database name in runnable example code expose sensitive credentials directly in source. If reused or committed to a repository, attackers or unauthorized users could access the database, exfiltrate data, or modify records depending on account privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal