ClawHub

Snowflake MCP Connection

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Snowflake MCP setup guide, but it can give an AI client broad Snowflake credentials, arbitrary SQL access, and side-effecting tools without enough guardrails.

Install only after reviewing the Snowflake authority you are giving to the MCP client. Use a dedicated low-privilege role and token, avoid ACCOUNTADMIN for runtime use, keep mcp.json and Snowflake connection files secret, restrict SQL to read-only where possible, remove or gate side-effecting tools such as Send_Email, and pin or verify the optional local MCP package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is framed as connection setup, but it directs users to create MCP servers exposing `SYSTEM_EXECUTE_SQL`, which enables arbitrary SQL execution through an MCP client. In this context, that materially expands the trust boundary from configuration guidance to operational data access and query execution, increasing the chance of misuse, over-privileged deployment, or unintended destructive queries if loaded into an agent session.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The full-featured example introduces a `GENERIC` procedure-backed email-sending tool that is unrelated to basic Snowflake MCP connectivity and adds an outbound action capability. In an agent-integrated MCP context, this creates unnecessary risk of prompt-triggered data exfiltration, spam, or unauthorized notifications, especially when bundled alongside SQL and search tools.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file is presented as examples for wiring Snowflake MCP endpoints, but it goes beyond passive connectivity setup and provides ready-to-run definitions for powerful operational tools, including arbitrary SQL execution, agent execution, and custom procedure invocation. In an agent skill context, this expands the action surface substantially and can enable unsafe data access or side effects if copied into production without tighter scoping or safeguards.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The custom Send_Email tool introduces an external side-effecting capability unrelated to basic MCP endpoint wiring or Cortex configuration. In an MCP/agent setting, exposing an email procedure can be abused for spam, data exfiltration, social engineering, or unauthorized notifications, especially since the example normalizes operational use without justification or safety gates.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows PATs embedded directly in curl commands and `mcp.json` headers without warning against committing secrets to source control or sharing session configuration files. Users commonly copy-paste these examples verbatim, which can lead to credential exposure in repositories, shell history, screenshots, or shared workspaces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation provides multiple examples with plaintext secrets such as passwords and private-key passphrases directly in command arguments and config files, but does not warn users against storing or sharing real credentials this way. In this skill context, users are explicitly told to add MCP configuration to client context, which increases the chance that bearer tokens or passwords will be exposed to logs, screenshots, prompt context, version control, or other agents.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The PAT example shows a bearer token embedded in `mcp.json` headers without any caution about secret exposure, despite instructing the user to add that file as session context. Bearer tokens are directly reusable credentials, so including them in configuration files and LLM context materially increases the risk of credential theft, replay, and unauthorized access to the Snowflake MCP endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example shows how to create and expose an email-sending procedure but provides no warning, confirmation requirement, or operator guidance before enabling a side-effecting action. This is dangerous because users may treat it as safe boilerplate and deploy a messaging capability that can be triggered without adequate human review or policy controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Including a DROP MCP SERVER example without any cautionary note normalizes a destructive administrative command in a copy-paste-oriented example file. While the command is not inherently malicious, accidental execution could remove configured servers and disrupt dependent workflows or integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal