SnowflakeDataEngineer

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This Snowflake query skill appears intended for read-only use, but review is recommended because its Snowflake access is under-declared and its advertised row-limit guardrail is incomplete.

Before installing, configure only a least-privilege read-only Snowflake role limited to approved databases and schemas, protect the local HTTP endpoint, and verify the skill truly enforces maximum row limits before allowing autonomous use.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

A query could return far more Snowflake rows than the user expects, increasing data exposure, cost, or memory usage despite the skill claiming row limits.

Why it was flagged

The advertised max-row guard is only added when the query text lacks `LIMIT`; the code does not verify that a caller-supplied LIMIT is less than or equal to MAX_ROWS.

Skill content

if "LIMIT" not in sql_upper:
        sql = sql.rstrip(";") + f" LIMIT {settings.MAX_ROWS}"

Recommendation

Parse SQL or otherwise enforce an outer maximum LIMIT, reject larger caller-supplied limits, and fetch results in bounded batches.

#ASI03: Identity and Privilege Abuse

Medium

What this means

If configured with a broad Snowflake role, the agent could read any data that role can SELECT, and users may not realize the skill needs those account settings from the registry metadata.

Why it was flagged

The service relies on local Snowflake identity, role, and scope settings even though the supplied metadata declares no required environment variables and no primary credential; the code also does not verify that the configured role is read-only.

Skill content

SNOWFLAKE_USER = os.getenv("SNOWFLAKE_USER")
SNOWFLAKE_ACCOUNT = os.getenv("SNOWFLAKE_ACCOUNT")
SNOWFLAKE_PRIVATE_KEY_PATH = os.getenv("SNOWFLAKE_PRIVATE_KEY_PATH")
SNOWFLAKE_WAREHOUSE = os.getenv("SNOWFLAKE_WAREHOUSE")
SNOWFLAKE_DATABASE = os.getenv("SNOWFLAKE_DATABASE")
SNOWFLAKE_SCHEMA = os.getenv("SNOWFLAKE_SCHEMA")
SNOWFLAKE_ROLE = os.getenv("SNOWFLAKE_ROLE")

Recommendation

Declare the required Snowflake configuration and credential model, require a least-privilege read-only role, and document the exact database/schema/table scope.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Localhost plumbing can be normal, but if this service is reachable by other local processes or agents, they could submit queries and receive Snowflake results.

Why it was flagged

The Snowflake query endpoint is a localhost HTTP POST endpoint with no declared endpoint authentication.

Skill content

url: http://localhost:8000/execute
method: POST
timeout_seconds: 60

authentication:
  type: none

Recommendation

Keep the endpoint bound to localhost only, rely on runtime access controls, and add endpoint authentication or process isolation if the service runs outside a trusted local agent sandbox.