ClawHub

Mindsdb Mcp Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate MindsDB MCP documentation skill, but it gives an agent broad database and enterprise-data authority without enough scoping, confirmation, or secret-handling guidance.

Install only if you intend to let an agent use MindsDB against real data systems. Use dedicated least-privilege or read-only accounts where possible, keep credentials out of prompts and URLs, review generated SQL before execution, and require explicit confirmation for writes, deletes, schema changes, imports, exports, model training, knowledge-base ingestion, scheduled reports, and any workflow involving regulated or confidential data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The document presents two inconsistent authentication mechanisms and recommends passing an API key in the URL query string for the cloud example. Secrets in URLs are commonly exposed via logs, browser history, proxies, telemetry, and screenshots, making credential leakage more likely in a skill centered on database and enterprise data access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide shows credentials placed directly in configuration and, in one example, in the URL without any warning about secure secret handling. Because this skill connects to databases, SaaS systems, and knowledge bases, leaked tokens could grant broad access to sensitive enterprise data or enable unauthorized queries and actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes natural-language querying and operation across 200+ enterprise data sources, including automated database and model actions, without prominent warnings about data exposure, destructive operations, credential handling, or possible transmission to external services. In an agent-driven context, this can cause users to authorize sensitive read/write actions without understanding privacy, integrity, and exfiltration risks.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger description is extremely broad: it instructs use of this skill for essentially any database operation, data analysis, RAG, AI Q&A, or multi-source connection scenario, even when MindsDB is not explicitly requested. In an agentic environment, that can cause unintended invocation of a powerful skill that can connect to external systems, generate SQL, and act on data sources, increasing the chance of unauthorized or surprising actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises high-impact capabilities—connecting to enterprise data sources, executing queries, importing documents, creating models, and building knowledge bases—but does not prominently require user confirmation, permission checks, or warn about data sensitivity and side effects. In practice, this can normalize risky operations and lead users or downstream agents to perform reads, writes, imports, or model-building against sensitive systems without adequate safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes example database connection commands with plaintext usernames and passwords, but provides no guidance to use environment variables, secret stores, or redaction. In a skill specifically designed to connect to many enterprise data sources, this can normalize unsafe credential handling and lead users to paste real secrets into prompts, configs, logs, or chat history where they may be retained or exposed.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The import and export examples show file/data transfer operations without warnings about overwriting files, exporting sensitive records, validating paths, or confirming destinations. In a database automation skill, this increases the risk of accidental data leakage, unsafe local file writes, or unintended exfiltration of query results to user-controlled paths.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document includes numerous examples of secret-bearing fields such as passwords, tokens, API keys, and credential file paths across database and SaaS integrations. In a skill specifically designed to connect to many external systems, this is risky because users may copy the examples verbatim, hardcode production secrets into prompts/configuration, or mishandle credential files without adequate warnings about secret hygiene.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document recommends scheduled report delivery to fixed email recipients, but it does not mention access control, data minimization, approval workflows, or sensitivity review before distributing outputs. In a skill focused on querying enterprise data sources and generating AI-driven insights, automated reports can easily include confidential business metrics or personal data and lead to unintended disclosure through email forwarding, mailbox compromise, or overbroad recipient lists.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide encourages ingesting database and web content into a RAG knowledge base and then using external model providers such as OpenAI and Anthropic, but it does not warn that sensitive records, internal documents, or personal data may be embedded, stored, retrieved, and transmitted to third parties. In a skill explicitly meant for broad enterprise data access across 200+ sources, this omission can lead users to expose confidential or regulated data without realizing the privacy, retention, and compliance implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The legal and medical examples normalize building RAG systems and question-answering agents over highly sensitive or regulated datasets without any warning about consent, access control, jurisdictional restrictions, or the risk of inaccurate model output. In these domains, misuse can expose protected health information, legal case data, or produce unsafe advice, making the omission more dangerous in the context of this enterprise data-access skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to provide database usernames and passwords and even shows a plaintext password example, but it gives no guidance on secret handling, storage, masking, or transmission risks. In a skill explicitly designed to connect to many enterprise data sources, this omission can normalize unsafe credential practices and increase the chance of credential exposure to logs, prompts, screenshots, or unintended external systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The import/export sections describe moving data into and out of MindsDB without warning about confidentiality, integrity, overwrite, or exfiltration risks. Because this skill is meant for querying, aggregating, and exporting enterprise data across many sources, users could unintentionally disclose sensitive records or overwrite data destinations without understanding the consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file includes INSERT, UPDATE, DELETE, ALTER, and DROP examples without surrounding safety warnings, transaction guidance, or clear labeling that they modify live data. In the context of an MCP skill meant to interact with many enterprise data sources through natural language, users or downstream agents may copy or generate destructive statements against production systems, causing unintended data loss or service disruption.

Missing User Warnings

High
Confidence
95% confidence
Finding
The duplicate-cleanup example performs irreversible deletion based on a subquery, with no warning, preview step, or backup guidance. In this skill's context—where natural-language-driven database operations may be executed across enterprise systems—such an example is especially dangerous because it can normalize direct destructive cleanup on real datasets and lead to permanent loss of legitimate records if adapted incorrectly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes hardcoded credential examples for AWS and service passwords directly in configuration snippets. Even if presented as examples, this normalizes unsafe secret handling and can lead users to copy the pattern into production systems, exposing credentials through source control, logs, screenshots, or shared docs. In a skill focused on database and infrastructure operations, this is more dangerous because users are likely to execute these examples against real enterprise environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The backup example sends data to an S3 path with encryption enabled but provides no warning about bucket access policies, data sensitivity, retention obligations, or cross-account/public exposure risks. Users may assume the example is safe as-is and create backups containing sensitive enterprise data in improperly governed storage, which is especially risky in a skill intended for multi-source data operations and data warehousing.

Ssd 3

Medium
Confidence
96% confidence
Finding
User-facing examples embed plaintext database credentials directly in connection instructions, which is a classic secret-handling anti-pattern. Because this skill encourages natural-language interaction for database access, users may imitate the pattern with real production credentials, causing exposure in prompts, notebooks, logs, transcripts, or version control.

Ssd 3

Medium
Confidence
97% confidence
Finding
Multiple additional examples for PostgreSQL, MongoDB, TDengine, and InfluxDB repeat the same insecure pattern of exposing credentials in plaintext. The breadth of affected connectors makes the issue more dangerous in this skill context because the skill is explicitly intended for broad enterprise data-source access, increasing the chance that unsafe examples are copied into real deployments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal