Security Audit
Jamkris/everything-gemini-code:skills/clickhouse-io
github.com/Jamkris/everything-gemini-codeTrust Assessment
Jamkris/everything-gemini-code:skills/clickhouse-io received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include SQL Injection vulnerability in bulk insert.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 30, 2026 (commit 6c6f43aa). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | SQL Injection vulnerability in bulk insert The `bulkInsertTrades` function constructs an SQL `INSERT` query by directly concatenating string values from the `trades` array without proper escaping or parameterization. This allows for SQL injection if any of the `trade.id`, `trade.market_id`, `trade.user_id`, or `trade.timestamp` fields contain malicious input (e.g., single quotes). An attacker could inject arbitrary SQL commands, leading to data exfiltration, modification, or deletion within the ClickHouse database. Use parameterized queries or a proper SQL escaping mechanism provided by the `clickhouse` client library. Avoid direct string concatenation for SQL queries when incorporating untrusted or user-controlled input. For example, use the client's built-in methods for safe data insertion if available, or manually escape string values. | LLM | SKILL.md:166 |
Scan History
Embed Code
[](https://skillshield.io/report/bcba996095e7db1d)
Powered by SkillShield