Trust Assessment
snowflake-mcp received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 3 high, 0 medium, and 0 low severity. Key findings include Insecure handling of Programmatic Access Tokens (PAT) in examples, Recommendation to create MCP server with arbitrary SQL execution capability, Example `GENERIC` tool for sending emails lacks recipient validation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure handling of Programmatic Access Tokens (PAT) in examples The skill instructs users to create and use Snowflake Programmatic Access Tokens (PATs). While it advises saving the token securely, it then provides `curl` command examples and `mcp.json` configuration snippets that embed the PAT directly in plaintext. This practice can lead to accidental exposure of the token in shell history, logs, or insecurely stored configuration files, making it vulnerable to credential harvesting if the environment is compromised. An attacker gaining access to these logs or files could compromise the Snowflake account. Recommend using environment variables or a secure secrets management system for PATs instead of embedding them directly in commands or configuration files. Add a strong warning about the risks of exposing PATs. For `mcp.json`, suggest a placeholder that the client replaces with a securely retrieved secret at runtime. | LLM | SKILL.md:50 | |
| HIGH | Recommendation to create MCP server with arbitrary SQL execution capability The skill guides users to create an MCP server that includes a `SYSTEM_EXECUTE_SQL` tool. This tool type allows the connected AI agent (e.g., Clawdbot) to execute *any* SQL query against the Snowflake database, limited only by the permissions of the PAT used. If an AI agent is compromised (e.g., via prompt injection) or misconfigured, this capability could lead to unauthorized data access, modification, deletion, or even privilege escalation within the Snowflake environment. While the skill mentions RBAC, the broadness of 'arbitrary SQL queries' is a significant risk. Strongly advise users to restrict the scope of `SYSTEM_EXECUTE_SQL` tools to specific schemas, tables, or views, or to use more granular tool types if available. Emphasize the critical importance of robust guardrails and input validation on the AI agent side when using such a powerful tool. Consider recommending a separate, more restricted PAT for agents using this tool. | LLM | SKILL.md:38 | |
| HIGH | Example `GENERIC` tool for sending emails lacks recipient validation The 'Full Featured Server' example includes a `GENERIC` tool named `Send_Email` that takes `recipient_email`, `subject`, and `body` as input. The description for `recipient_email` is simply 'Recipient email address.' without any mention of validation, whitelisting, or restrictions. If this tool is implemented as a stored procedure that sends emails to arbitrary addresses provided by an AI agent, it could be exploited for spam, phishing attacks, or unauthorized information disclosure by an attacker who gains control over the agent's inputs (e.g., via prompt injection). Add a strong warning about the security implications of email sending tools. Recommend implementing strict validation and whitelisting for `recipient_email` within the underlying Snowflake stored procedure. Suggest that the skill documentation explicitly state these necessary security controls for any `GENERIC` tool that performs external actions. | LLM | SKILL.md:160 |
Scan History
Embed Code
[](https://skillshield.io/report/3b8c48faaba8e97a)
Powered by SkillShield