ClawHub

postgresql-skill

Security checks across malware telemetry and agentic risk

Overview

This PostgreSQL skill mostly does what it says, but its schema overview command can read sample rows from every table and may expose sensitive database data unexpectedly.

Install only if you are comfortable giving the skill database credentials and allowing it to run SQL against that database. Use a least-privilege, read-only database account where possible, avoid production or sensitive databases, and be especially cautious with schema-summary because it can return real sample records from every table, not just column metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents use of environment variables and local file reads (for DB_* overrides and config.yaml) but does not declare corresponding permissions. Undeclared capabilities reduce transparency and can bypass policy controls, making it easier for an agent to access sensitive configuration or secrets without explicit approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior goes beyond basic PostgreSQL operations by including schema-wide enumeration, row counts, and sampling data from every table. In a database skill, this materially increases data exposure because an agent may retrieve sensitive records or metadata far beyond the user's narrow request, enabling unnecessary reconnaissance and leakage.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The `schema-summary` feature does more than summarize schema: it executes `SELECT * ... LIMIT 3` against every table and returns live sample rows. In a database skill, that creates broad unintended data exposure because sensitive records from any table can be exfiltrated through a command that appears informational rather than data-reading.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The docstring says `Get full schema summary with sample data`, but the broader issue remains that the feature name and role suggest schema inspection while it reads actual table contents. Misleading or understated semantics are dangerous in agent skills because callers may invoke the function assuming metadata-only access, causing accidental disclosure of live data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This path exposes sample data from every table without any user-facing disclosure, confirmation, or minimization. In practice, a single command can leak PII, credentials, tokens, or business data across the whole database, which is especially risky in an agent context where users may not realize they are authorizing content extraction.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal