ClawHub

database

Security checks across malware telemetry and agentic risk

Overview

This Supabase skill appears purpose-built, but it gives an agent broad database-changing power and sends vector-search text to a third-party embedding service with limited guardrails.

Install only if you intend to let the agent administer a Supabase project. Prefer a test project or least-privilege credentials, avoid production service-role keys where possible, review every raw SQL/update/delete/RPC action before execution, and do not use sensitive vector-search text unless you trust the SkillBoss embedding provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell-based operational capability but does not declare corresponding permissions, which weakens transparency and policy enforcement around what the skill can do. In this context, the shell is used to drive database operations with high-privilege credentials, so undeclared execution capability materially increases risk if the skill is triggered unexpectedly or reviewed superficially.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill description understates important behaviors: it transmits vector-search query text to an external embedding service, requires a separate API key, and supports arbitrary RPC execution. This mismatch can cause users or orchestrators to route sensitive database-related tasks into a skill that may exfiltrate query content to a third party or perform broader actions than expected.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The vector-search path sends the user's query text to a third-party service at api.heybossai.com to generate embeddings, but the skill metadata describes Supabase operations and does not disclose this additional outbound data flow. This creates a real data exposure risk because users may assume their database/search input stays within Supabase, while potentially sensitive search text is transmitted to an unrelated external provider.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Vector search depends on an unrelated credential, SKILLBOSS_API_KEY, even though the skill is presented as a Supabase integration. This broadens the trust boundary, increases secret-management risk, and may cause operators to provide an unnecessary high-value credential to a tool that should only need Supabase credentials.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is broad enough to activate on many common database or embeddings-related requests, increasing the chance this high-privilege skill is selected when not strictly needed. Because the documented setup recommends a Supabase service-role key that bypasses RLS, accidental invocation could expose or modify sensitive data beyond the user's intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation presents destructive operations such as update and delete as routine commands without safeguards, warnings, or confirmation guidance. In a skill designed for database administration, that omission is dangerous because users or agents may execute irreversible data changes directly against production systems, especially when using a service-role key that bypasses RLS.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script interface and usage text do not warn that vector-search will transmit the user-provided query to an external API for embedding generation. In a database-oriented skill, search prompts can contain proprietary or personal data, so undisclosed exfiltration to a third party is a meaningful security and privacy issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal