Byted Bytehouse Mcp

Security checks across malware telemetry and agentic risk

Overview

This ByteHouse database skill is not clearly malicious, but it needs Review because it can run unpinned remote server code with database credentials and exposes database-changing SQL.

Install only if you trust the upstream Volcengine MCP server source and are comfortable with it being fetched from a moving GitHub branch at runtime. Use a least-privilege or read-only ByteHouse account unless you explicitly need DML/DDL, avoid exposing unrelated environment secrets, protect any generated schema/catalog files, and stop the background MCP service when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill clearly uses environment variables and MCP/server execution capabilities, but the manifest does not declare corresponding permissions or trust boundaries. This creates a transparency and review gap: an agent or user may invoke a skill that can access secrets and start external tooling without explicit consent or policy enforcement.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented primarily as a query, interaction, and analysis tool, but it exposes a run_dml_ddl_query capability that can modify or destroy database state. This mismatch is dangerous because users may authorize a seemingly read-oriented skill that actually has write/administrative power.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The client does not start a pinned local server binary; it instructs uvx to fetch and execute MCP server code directly from a GitHub repository branch (`@main`) at runtime. That creates a supply-chain and remote code execution risk because any compromise of the upstream repo, dependency chain, or branch contents can execute arbitrary code on the host when the skill runs.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code copies the entire host environment and passes it to the spawned MCP server, which is especially risky because that server is fetched from a remote repository at runtime. This can expose secrets such as cloud credentials, API keys, tokens, proxy settings, and internal endpoints to child code that does not need broad access for the stated ByteHouse-query purpose.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script starts a service by invoking `uvx --from` against a GitHub repository branch (`@main`) at runtime, which means code is fetched and executed without pinning to an immutable commit or verified release artifact. This creates a supply-chain risk: if the repository, branch, dependency chain, or network path is compromised, arbitrary code could run on the host with the privileges of the script.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script launches an MCP server by invoking uvx with a GitHub URL pinned to the moving main branch, which causes code to be fetched and executed at runtime from a remote repository. This creates a software supply-chain risk: if the repository, dependency resolution, or network path is compromised, arbitrary code could run with the user's environment and local access.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script launches code fetched directly from a remote GitHub repository branch (`@main`) at runtime via `uvx --from git+https://...`. This creates a supply-chain risk because the executed server code is not pinned to an immutable commit or vetted local package, so upstream changes or a compromised repository could lead to arbitrary code execution in the user's environment with access to ByteHouse credentials.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: After connecting, the script automatically invokes the first advertised MCP tool with empty arguments instead of limiting itself to a connectivity or discovery check. In this skill context, MCP tools can interact with a database or perform other side effects, so blindly executing an arbitrary first tool may trigger unintended queries, metadata access, or state-changing operations depending on server implementation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly states that schema, catalog, and lineage JSON files are generated and saved locally, but it does not warn that these artifacts can contain sensitive metadata such as database names, table names, column names, relationships, and inferred business context. In a data platform skill, such metadata can materially aid reconnaissance, leak internal architecture, or expose regulated data structure even when raw records are not included.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises a run_dml_ddl_query capability without any warning that it can create, alter, truncate, or drop objects and modify or destroy data. In the context of a database access skill, normalizing write-capable operations without guardrails increases the risk of accidental destructive actions or abuse if the skill is invoked with powerful credentials.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The invocation triggers include broad terms such as mentioning ByteHouse, MCP, querying databases, or looking at tables, which can match routine conversational requests. Overbroad routing increases the chance that the skill is activated unnecessarily, exposing credentials, schema metadata, or write-capable tools in contexts where they were not needed.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to export database credentials and generate schema/catalog outputs, but it does not warn that environment variables, logs, and output files may contain sensitive infrastructure metadata or secrets-adjacent information. In this context, schema inventories and lineage reports can materially aid reconnaissance and data exfiltration planning.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal