ClawHub

postgres mcp

Security checks across malware telemetry and agentic risk

Overview

This PostgreSQL skill is coherent for database administration, but it gives an agent broad live-database authority with several under-scoped safeguards.

Review before installing. Use a dedicated least-privilege PostgreSQL account, enable read-only mode by default, avoid production credentials in command lines or persistent config files, pin the postgres-mcp package or image version, and require explicit confirmation for writes, DDL, index creation, scheduled tasks, and backend cancellation or termination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill documents use of pg_cancel_backend and pg_terminate_backend, which enables termination of other database sessions and can disrupt legitimate workloads. In a general-purpose SQL execution skill, exposing operational kill capabilities expands impact well beyond query execution and can be abused for denial of service or to interfere with monitoring, backups, migrations, or concurrent users.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill is documented as a PostgreSQL health-check assistant, but the example instructs the assistant to set up a scheduled task, which expands behavior into automation/persistence beyond the stated scope. This can mislead an agent into taking ongoing actions without clear authorization boundaries, creating a risk of unintended task creation, privilege misuse, or policy bypass in environments where scheduling capabilities exist.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README states that `/postgres` will automatically route to a functional module based on user intent, but it does not define routing constraints, approval requirements, or how dangerous modules such as SQL execution are gated. In a security-sensitive database skill, ambiguous intent routing can cause the agent to invoke higher-risk capabilities than the user explicitly requested, increasing the chance of unintended schema access or SQL execution.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill trigger description is broad enough to activate on many generic PostgreSQL or database-related conversations, which can cause the agent to route users into a capability that includes SQL execution and database operations when they may only be seeking general advice. In this context, over-triggering is more dangerous because the skill is explicitly empowered to inspect schemas, analyze queries, and potentially execute SQL, increasing the chance of unintended sensitive operations or disclosure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The frontmatter says to use the skill whenever users need to execute SQL, query, update, insert, or delete data, which is an overly broad invocation scope for a high-impact capability. Broad routing increases the chance the agent will select this skill in ambiguous situations and perform destructive or privacy-sensitive database actions without sufficient narrowing, least-privilege checks, or safer alternatives.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description and frontmatter include broad activation phrases like 'slow queries', 'performance tuning', and 'need to add indexes', which can cause the agent to invoke this skill for loosely related PostgreSQL requests. In a skill that can recommend and potentially execute CREATE INDEX operations, over-broad routing increases the chance of unintended database analysis or schema-changing actions in contexts where the user did not explicitly ask for index tuning.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broadly scoped and encourages activation for many generic PostgreSQL or database-related requests, which can cause the agent to invoke a powerful schema/SQL-generation capability in situations where the user did not explicitly request database access. In this context, overbroad activation increases the chance of unnecessary schema inspection or SQL generation against sensitive systems, especially because the skill can enumerate tables, functions, triggers, and other metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends schema caching but does not define cache scope, retention, access controls, or sanitization of sensitive metadata. Cached schema details can expose table names, column names, relationships, comments, and other internal structure across sessions or users, which materially increases information disclosure risk in a database-management skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation repeatedly shows PostgreSQL connection URIs with inline usernames and passwords, which normalizes placing secrets directly in shell commands and config files. In practice, these credentials can be exposed through shell history, process listings, logs, screenshots, shared config files, or accidental commits, and the file does not prominently warn users about those risks or steer them toward safer secret handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal