ClawHub
Back to skill

Security audit

xiaoqianran-duck

Security checks across malware telemetry and agentic risk

Overview

This is a coherent DuckDB data tool, but it needs review because it exposes unrestricted browser SQL and automatically uses Hugging Face tokens from the environment or a nearby .env file.

Install only if you are comfortable with a local analytics tool that can read selected local files, create or modify a DuckDB database, access Hugging Face over the network, and use HF tokens from your environment or .env file. Do not run the preview server on sensitive data or shared/untrusted networks unless you bind it to localhost, add access controls, and restrict SQL to safe read-only queries. Keep HF tokens out of committed .env files and use least-privilege tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
`autoLoadHFToken()` automatically reads Hugging Face credentials from environment variables and a nearby `.env` file, then installs them into DuckDB secrets without explicit user consent or disclosure. In a reusable helper/library, this can cause unexpected credential harvesting/use from the local environment, especially when combined with remote dataset access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The helper automatically reads Hugging Face credentials from process environment variables and, if absent, from a local .env file without an explicit opt-in at the call site. This expands the credential trust boundary and can cause sensitive tokens to be silently consumed during routine dataset imports, especially in embedded app contexts where users may not expect secret discovery from disk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs users to place a Hugging Face access token in an environment variable or a .env file next to the database, but it does not warn that the token is sensitive, should not be committed to source control, and should be stored using OS secret storage where possible. In a desktop and preview-server context, this omission increases the chance of accidental credential exposure through logs, bundled app files, backups, or local project directories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /query endpoint takes arbitrary SQL from a GET parameter and executes it directly against the DuckDB database, allowing any user who can reach the server to run read or write operations. In this preview-server context, that can expose sensitive data, modify or delete tables, and potentially trigger risky file-access features supported by DuckDB or helper integrations, especially since the UI provides no warning or restriction that this is effectively a full SQL console.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently loads `HF_TOKEN`/`HUGGINGFACE_TOKEN` or parses a `.env` file, with no user-facing warning that secrets from the host environment may be consumed. This creates a secrecy and consent problem: users may invoke a local analytics helper without realizing it accesses stored credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
`importFromHF()` performs remote access to Hugging Face datasets and by default attempts token auto-loading. In a local analysis tool, silent network access can exfiltrate metadata, trigger use of private credentials, and surprise users who expect purely local processing.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README explicitly instructs users to query remote Hugging Face datasets and create a local `data.duckdb` file, but it does not disclose that the demo performs network access and writes persistent local data. In a security-sensitive agent/skill ecosystem, undisclosed outbound connections and filesystem modifications reduce informed consent and can surprise users or automation that assumes examples are local-only.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README tells users to start `examples/preview-server.js` and open a browser, but it does not warn that this launches a local HTTP service. Even if intended for local use, undocumented service startup can expose data to other local users or network peers depending on bind address and configuration, and it changes the system's attack surface.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to export an HF access token as an environment variable or place it in a .env file, but provides no warning that the token is sensitive or that it may grant access to private or gated datasets. In a desktop/CLI workflow, such tokens can be leaked through shell history, logs, screenshots, accidental commits, or insecure local file handling, making unauthorized dataset access plausible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The preview server is presented as a simple way to browse tables and run queries in a browser, but there is no warning that this exposes locally stored data over an HTTP service. If the server binds beyond localhost, lacks authentication, or is used on a shared/untrusted system, sensitive local datasets could be accessed by other users or processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic loading of Hugging Face tokens occurs with no user-facing warning or disclosure, so network-authenticated access may happen using ambient credentials the user did not intend this helper to use. In a local analytics tool, silent use of secrets is security-relevant because it can surprise users and enable access to private or gated remote resources under their identity.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The importFromHF method performs remote network access via the hf:// protocol and may also auto-load credentials, but there is no visible disclosure in this helper that a network connection will occur. In desktop or agent-integrated contexts, undisclosed outbound access can leak metadata, trigger authenticated requests, and violate user expectations or policy boundaries.

Credential Access

High
Category
Privilege Escalation
Content
}

  /**
   * Try to load HF token from environment or .env
   */
  async autoLoadHFToken() {
    let token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
async autoLoadHFToken() {
    let token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
    if (!token) {
      // Try .env file in project
      const envPath = path.join(path.dirname(this.dbPath), '.env');
      if (fs.existsSync(envPath)) {
        const envContent = fs.readFileSync(envPath, 'utf8');
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
let token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
    if (!token) {
      // Try .env file in project
      const envPath = path.join(path.dirname(this.dbPath), '.env');
      if (fs.existsSync(envPath)) {
        const envContent = fs.readFileSync(envPath, 'utf8');
        const match = envContent.match(/HF_TOKEN=([^\s]+)/);
Confidence
89% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
}

  /**
   * Try to load HF token from environment or .env
   */
  async autoLoadHFToken() {
    let token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
async autoLoadHFToken() {
    let token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
    if (!token) {
      // Try .env file in project
      const envPath = path.join(path.dirname(this.dbPath), '.env');
      if (fs.existsSync(envPath)) {
        const envContent = fs.readFileSync(envPath, 'utf8');
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
let token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
    if (!token) {
      // Try .env file in project
      const envPath = path.join(path.dirname(this.dbPath), '.env');
      if (fs.existsSync(envPath)) {
        const envContent = fs.readFileSync(envPath, 'utf8');
        const match = envContent.match(/HF_TOKEN=([^\s]+)/);
Confidence
88% confidence
Finding
.env'

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.