Back to skill

Security audit

Kes Skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent KingbaseES documentation skill pack, but it needs review because it persistently changes agent behavior and contains broad auto-triggers plus high-impact system and database commands with weak credential examples.

Install this only if you actively work with KingbaseES and prefer project-scoped installation over global installation. Review commands before use, replace all sample passwords, avoid unrestricted MCP mode unless you intentionally need read/write database access, and do not run DROP/TRUNCATE/trust-auth/system-level commands against production without backups and a rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (139)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The C3P0 example includes concrete database credentials and endpoint details (`SYSTEM`/`MANAGER`, localhost, port, and DB name) in generic documentation. Even if presented as sample data, publishing realistic plaintext credentials normalizes unsafe practice and can lead users to copy them into real deployments or accidentally expose usable defaults.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The Node.js pool example exposes plaintext credentials (`SYSTEM` / `123456`) in a reusable configuration snippet. In a reference guide, this is risky because developers frequently copy examples directly, potentially deploying weak or unchanged credentials and embedding secrets in code repositories.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document gives contradictory guidance by claiming B-Tree indexes do not support partial or function indexes, then later recommending those same patterns. In a database design guide, this can mislead users into rejecting valid optimizations or distrusting other parts of the guidance, causing incorrect schema design and degraded performance or maintainability.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide first says high-selectivity columns should come first in composite indexes, but later presents an example asserting the opposite as the 'correct' design. This inconsistency is dangerous because index column order directly affects query plans; readers may implement suboptimal indexes that harm performance and operational stability on large tables.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The document exposes default administrative login credentials for the KDTS web interface, including a username and password. Even if intended as setup defaults, publishing usable admin credentials materially increases the risk of unauthorized access where operators fail to change them or expose the service beyond localhost.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The example configuration embeds plaintext database usernames and passwords in YAML snippets. Readers commonly copy such examples verbatim, which encourages insecure secret handling in files, scripts, repos, and shared migration bundles.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The KFS example shows a plaintext replication password directly in a command line. Command-line secrets are often exposed through shell history, process listings, logs, and screenshots, making credential theft easier.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document first frames local `trust` authentication as emergency/test-only, but later advises operators to retain a `trust` entry as a troubleshooting fallback. In an authentication hardening guide, recommending a standing trust backdoor can normalize insecure configuration and enable unauthorized local access if left enabled in production.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises automatic invocation using very broad natural-language phrases such as "Python connection" or "SQL optimization." In agent environments, overly generic triggers can cause unintended activation of this skill in unrelated conversations, potentially steering the assistant toward database-specific guidance or tool usage when the user did not explicitly request it.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The installation section instructs users to clone, unzip, copy files into `.claude/skills` and `~/.claude/skills`, which modifies local or global agent behavior, but it does not clearly warn that these steps change the assistant's available skills for future sessions. This can lead to unreviewed persistence of third-party behavior, especially with global installation paths.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises very broad natural-language trigger phrases such as general user questions, which can cause the skill to activate unintentionally in unrelated conversations. In a skill system, overbroad invocation patterns increase the chance of context hijacking, accidental execution of risky guidance, or user surprise when database-oriented workflows are invoked without clear intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger text says the skill must be used whenever users mention broad Docker-related terms, which can cause unintended invocation outside the narrow context of installation/configuration. Over-broad mandatory routing increases the chance that users receive system-modifying guidance when they only asked a general Docker question, creating a safety and least-privilege problem.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill includes commands that remove packages, add repositories, write system configuration files, and enable services, but it does not clearly warn that these operations require root privileges and can alter or disrupt the host. In a conversational agent context, missing impact warnings can lead users to run destructive commands without understanding rollback steps or compatibility risks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description contains broad mandatory trigger phrases such as '帮我构建应用', '从零开发', and '完整项目', which can match many normal software-assistance requests and cause this orchestrator to be invoked too aggressively. Because it is an orchestrator that can route into other skills and workflow steps, over-triggering can hijack user intent, bypass more appropriate specialized skills, and expand the operational scope unnecessarily.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The skill sets a default stack of 'Java + Spring Boot + MyBatis' and later reinforces '默认 Java', which biases technology selection without explicit user opt-in. In an orchestration skill, this can steer projects toward an unsuitable stack, leading to insecure or incompatible implementations if user constraints, team expertise, or deployment requirements differ.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes concrete database credentials in a configuration example, including a trivial password, but does not label them as placeholders or warn against reuse in production. In reference material for app scaffolding, readers may copy the example directly, leading to insecure deployments with default or guessable credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document includes concrete database credentials embedded directly in example code and configuration defaults. Even if intended as sample data, hardcoded usernames and passwords normalize insecure practices, can be copied into production deployments, and may expose real credentials if the example reflects an actual environment.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill declares that it 'must' be used whenever users mention broad backup-related terms, which can force routing to this skill even when the request is only tangentially related or better handled by another, safer or more specific workflow. Overly broad mandatory activation increases the chance of inappropriate tool invocation, context hijacking, and unsafe operational guidance being applied without sufficient validation of the user's environment or intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger text says the skill must be used whenever users mention broad topics like C development, ODBC, ESQL/C, unixODBC, or compilation/linking, which overlaps with many normal technical conversations. This can cause inappropriate activation and lead the agent to inject database-specific guidance, including unsafe credential-handling patterns, into unrelated contexts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill repeatedly includes real-looking usernames and plaintext passwords in connection strings, DSN examples, and code samples without warning against hardcoding secrets. Because this is instructional content, users may copy it directly into source code, config files, shell history, or registry entries, creating credential leakage and insecure deployment patterns.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation text says the skill must be used whenever users mention broad SQL-related topics, which can cause the agent to invoke this skill in many general database contexts without clear product or task boundaries. Over-broad triggering increases the chance of irrelevant or unsafe guidance being surfaced, especially when the skill includes executable DDL/DML/DCL examples that may be applied to the wrong environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill contains ready-to-use examples for INSERT, UPDATE, DELETE, MERGE, GRANT, ALTER DEFAULT PRIVILEGES, and REVOKE without warning that they modify data, permissions, or schema state. In an agent setting, presenting destructive or privilege-affecting commands as normal reference material can lead users or downstream systems to execute risky statements without adequate review, backup, scoping, or least-privilege checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tutorial includes destructive operations such as DELETE, TRUNCATE, and cascading truncation without any warning that they are irreversible or should only be run against disposable/test data. In a quick-start context, inexperienced users may copy commands directly into a real environment and cause unintended data loss.

Missing User Warnings

High
Confidence
97% confidence
Finding
The cleanup section shows irreversible commands including DROP TABLE ... CASCADE, DROP SCHEMA public CASCADE, recreating the public schema, and DROP DATABASE without any safety disclaimer. These commands can destroy an application's full schema and data, and presenting them as routine cleanup in a beginner guide materially increases the chance of accidental execution.

Missing User Warnings

High
Confidence
99% confidence
Finding
The password-reset procedure instructs users to change sys_hba.conf to trust authentication, temporarily disabling password-based access, but it does not warn about the security exposure or require compensating controls. If applied on a reachable system or left in place, this can allow unauthorized local access as privileged users and facilitate full database compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.exposed_secret_literal

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
kes-deploy/SKILL.md:311

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
kes-ha/ref/high-availability.md:43