Trust Assessment
clickhouse-io received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential SQL Injection in ClickHouse Insert Example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential SQL Injection in ClickHouse Insert Example The `bulkInsertTrades` function constructs an SQL `INSERT` statement by directly concatenating string values from the `trades` array. If `trade.id`, `trade.market_id`, `trade.user_id`, or `trade.timestamp` contain malicious SQL characters (e.g., single quotes), an attacker could inject arbitrary SQL commands, leading to data manipulation, unauthorized access, or denial of service. The `insertTrade` function, though marked as 'slow', exhibits the same vulnerability. Use parameterized queries or the ClickHouse client library's built-in safe insertion methods. For the `clickhouse` npm package, it is recommended to use `clickhouse.insert(tableName, dataArray)` which handles proper escaping and batching. Alternatively, if using `clickhouse.query`, ensure all user-supplied string values are properly escaped or use query parameters if the library supports them for `INSERT` statements. | LLM | SKILL.md:170 |
Scan History
Embed Code
[](https://skillshield.io/report/b179133ecafe3041)
Powered by SkillShield