Back to skill

Security audit

Hologres Cli

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Hologres CLI skill, but it needs review because it delegates powerful database, storage, and credential-handling actions to an external pip package with broad triggers and under-disclosed sensitive-data risks.

Install only after verifying the `hologres-cli` pip package source and pinning a reviewed version. Use least-privilege database, OSS, and model-provider credentials; avoid putting secrets directly in chat or command-line arguments; protect or clear `~/.hologres` history/config files; require explicit human approval for write, drop, truncate, import-with-truncate, GUC set, model registration/deletion, local file upload, and `volume view` operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented command surface significantly exceeds a database CLI by including AI generation and external model management. This broadens reachable functionality into areas with different trust, billing, data handling, and outbound-content risks, making it easier for an agent or user to invoke actions outside the expected database-administration context.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Volume file management and opening downloaded files with the system viewer expand the skill from database operations into local file handling and potentially code/content execution via associated applications. In an agent context, this materially increases risk because remote content can be fetched and then opened locally, crossing trust boundaries between database administration and workstation-side actions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Opening downloaded files with the system viewer is dangerous because it can trigger local application handling of untrusted content, leading to phishing, unintended macro/script execution, or exploitation of viewer vulnerabilities. This is especially risky in an agent skill framed as a database CLI, where users may not expect any local file-opening side effects.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad triggers such as generic database-related phrases increase the chance of accidental activation in unrelated conversations. In an agent environment, misfires can expose database metadata, execute queries, or surface destructive command options when the user did not intend to invoke this specific skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents operations involving access keys, secrets, external storage, and model API keys without prominent privacy and credential-handling warnings. That creates a realistic risk of users supplying sensitive credentials into agent workflows or logs without understanding retention, display, and downstream exposure implications.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad phrases such as "hologres database" and "dynamic table," which are likely to match many ordinary database-related requests rather than narrowly scoped invocations. In a skill that can execute SQL and perform import/export or table lifecycle actions, over-broad activation increases the chance the skill is invoked unintentionally and gains access to sensitive database operations in contexts where the user did not explicitly request it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation includes a command example that passes long-lived secrets (`--access-key` and `--access-secret`) directly on the command line without warning users about exposure risks. CLI arguments can be captured in shell history, process listings, terminal logs, CI logs, and agent traces, which can lead to credential disclosure and unauthorized OSS access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation exposes a `--no-mask` option that disables sensitive data masking without any warning, making it easier for an agent or user to unintentionally retrieve and display secrets or personal data in logs, transcripts, or downstream tools. In an AI-agent-oriented CLI, this is more dangerous because agents may prioritize task completion over privacy controls and may propagate unmasked results automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that all commands are logged to ~/.hologres/sql-history.jsonl and shows raw SQL in example entries, but it does not warn that SQL text can contain secrets, personal data, tokens, or embedded literals. On multi-user systems, backups, support bundles, or endpoint compromise, this history file could expose sensitive information even when query output masking is enabled.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.