postgres mcp

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PostgreSQL administration skill, but it can expose or change database data if configured with powerful credentials.

Install only if you want an agent to help administer a PostgreSQL database. Use a dedicated least-privileged or read-only database account, avoid superuser credentials, protect connection strings, keep SSE endpoints local or access-controlled, pin or review the external postgres-mcp package/image, and manually review every write, DDL, backend termination, statistics reset, or scheduled monitoring action before approving it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill states that write operations require explicit user confirmation, but later examples show transactional bulk updates executing directly without a confirmation gate. In a database-execution skill, inconsistent guidance can cause an agent implementation to skip approval for destructive changes, leading to unauthorized or accidental data modification at scale.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The document says dangerous operations should be detected and warned on, but it later includes pg_cancel_backend and pg_terminate_backend examples without warning, approval, or role restrictions. In a PostgreSQL admin context, these commands can disrupt legitimate workloads, terminate critical sessions, and create denial-of-service conditions if surfaced as routine commands.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill expands from one-time database health inspection into creating a scheduled task, which introduces persistent side effects beyond the user’s immediate request. In an agent context, this can lead to unauthorized recurring actions, operational drift, and repeated access to database metadata without clear consent or scheduling safeguards.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger text is broad enough to activate on generic database, performance, or schema questions without a tightly bounded PostgreSQL scope. In an agent environment, over-broad routing can misapply this skill to unrelated requests and expose powerful database-management behaviors, including SQL execution guidance, in contexts where a narrower skill should have handled the request.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger description includes broad natural-language phrases such as mentions of PostgreSQL, optimization, indexing, or health checks, which can cause the skill to activate in contexts where the user did not intend database operations. In a powerful database-management skill, over-triggering is risky because it may lead the agent to gather schema, query, or performance data unnecessarily and steer conversations toward sensitive operational actions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation text is broad enough to trigger on generic database-performance or query-help requests, which can cause the skill to engage outside a narrowly intended scope. In a skill that can analyze or execute SQL-related operations, overbroad routing increases the chance of unintended database interaction, including running costly EXPLAIN ANALYZE workflows on production queries.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation text is overly broad and can cause this skill to trigger on many generic database-related requests, including cases where the user did not specifically intend schema inspection or SQL generation. In this context, over-activation is security-relevant because the skill explicitly supports schema discovery and SQL generation, which can expose metadata unnecessarily and increase the chance of unsafe or over-privileged database operations being suggested or executed by an agent pipeline.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger conditions are overly broad ('第一次使用 PostgreSQL 功能', installation/deployment/configuration, connection failures), which can cause this skill to activate in situations where the user did not intend to install software or change local/database configuration. In this skill’s context, unintended invocation is more dangerous because the instructions include deploying services, exposing SSE endpoints, and editing local MCP client config files.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to edit local client configuration files and start long-running services, including a network-accessible SSE mode, without an explicit warning about side effects or a requirement for user confirmation before making those changes. This is dangerous because it can lead to unintended exposure of database tooling, persistence of configuration changes, and accidental use of privileged database credentials in local config or command history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal