Byted Bytehouse Diagnostics

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ByteHouse diagnostic tool, but it should be reviewed because it fetches unpinned code at runtime and passes it database credentials plus the full shell environment.

Install only if you trust the external ByteHouse MCP code source. Prefer pinning the MCP server to a reviewed commit or release, run with a least-privileged read-only ByteHouse account, start it from a clean environment containing only the required ByteHouse variables, and protect or redact generated reports before sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs users to set and use sensitive environment variables, invokes external tooling via `uv run`, depends on an MCP server for remote access, and writes diagnostic output files, but it does not declare corresponding permissions. This creates a trust and containment gap: an agent or reviewer cannot reliably understand that the skill can access credentials, connect to external services, and persist potentially sensitive diagnostic data.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script dynamically fetches and executes an MCP server directly from a GitHub repository at runtime using `uvx --from git+https://...@main`. This creates a supply-chain and arbitrary code execution risk because the code is not pinned to an immutable commit or locally vetted artifact, and it runs with access to the process environment and database credentials.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script copies the entire process environment and forwards it to the spawned MCP server, unnecessarily exposing all inherited secrets and operational settings to a child process whose code is fetched remotely. If that server is compromised or behaves unexpectedly, it can read and exfiltrate credentials unrelated to ByteHouse diagnostics.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that health, node status, and query statistics reports are written to local JSON files, but it does not warn that these artifacts may contain sensitive operational metadata such as query history, node topology, host information, or error details. In a diagnostics skill, this omission increases the chance that users will persist sensitive cluster information in insecure locations, commit it to source control, or share it unintentionally.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger conditions are broad and symptom-based, such as any mention of cluster diagnostics, health checks, node status, or cluster problems, without clear exclusion criteria. This can cause the skill to activate in unrelated contexts and unnecessarily access ByteHouse connectivity, system tables, or write diagnostic reports when a simpler or safer response would suffice.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal