Security Audit
affaan-m/everything-claude-code:docs/ja-JP/skills/clickhouse-io
github.com/affaan-m/everything-claude-codeTrust Assessment
affaan-m/everything-claude-code:docs/ja-JP/skills/clickhouse-io received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include SQL Injection via unescaped string concatenation in ClickHouse insert.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 20, 2026 (commit 9a478ad6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | SQL Injection via unescaped string concatenation in ClickHouse insert The `bulkInsertTrades` function constructs a SQL `INSERT` query by directly concatenating string values from the `trades` array into the query string. If `trade.id`, `trade.market_id`, `trade.user_id`, or `trade.timestamp` (or any other string field) contain malicious SQL, an attacker could inject arbitrary SQL commands into the ClickHouse database. This is a classic SQL injection vulnerability. Use parameterized queries or the `clickhouse.insert()` method, which properly escapes or binds parameters, instead of direct string concatenation. For example, use `await clickhouse.insert('trades', trades).toPromise()` if `trades` is an array of objects matching the table schema, or use parameterized queries with the `query` method if the library supports it for this type of insert. | LLM | SKILL.md:160 |
Scan History
Embed Code
[](https://skillshield.io/report/9ca229d306bf5dd4)
Powered by SkillShield