Virtuoso Product Support

Technical support and database management for OpenLink Virtuoso Server with RDF Views generation, SPARQL queries, and comprehensive database operations. Prov...

This skill appears to be a legitimate Virtuoso support helper, but proceed carefully. Key things to check before installing or using it: 1) Confirm the platform actually exposes the MCP tools the skill expects (especially database_schema_objects and database_remote_datasources referenced in the workflow) — the SKILL.md references tools that are not listed elsewhere, which is an incoherence. 2) Do not allow the agent to run generated scripts on production until you verify the generated SQL and have a current backup; test the full workflow on the Demo instance first. 3) Require explicit, per-action user confirmation for any EXECUTE_SQL_SCRIPT or metadata-repair (RDF_AUDIT_METADATA level 2/3) operations; consider disabling autonomous invocation for destructive actions. 4) Verify credentials and that default passwords (dba/dba) are not in use; restrict DB access to a service account with least privilege. 5) If you can't confirm the tool bindings and provenance (source unknown, no homepage), treat the skill as untrusted for production changes. If you want, I can list the exact tool names referenced in the SKILL.md so you can cross-check them with your platform's available tool bindings.

Type: OpenClaw Skill Name: virtuoso-support-agent Version: 1.0.0 The skill is classified as suspicious due to multiple high-risk capabilities that are vulnerable to prompt injection and potential exploitation, rather than clear malicious intent. Key indicators include: 1) The `EXECUTE_SQL_SCRIPT` and `execute_sql_query` tools (documented in `SKILL.md` and `references/tool-reference.md`) allow the agent to execute arbitrary SQL commands, posing a significant SQL injection/RCE risk if agent instructions for user approval or script modification are bypassed via prompt injection. 2) The `sparqlRemoteQuery` tool (`references/tool-reference.md`) enables querying arbitrary remote SPARQL endpoints with an optional `apiKey`, creating a data exfiltration vulnerability if the agent is tricked into sending sensitive local data to a malicious URL. 3) The `chatPromptComplete` tool (`references/tool-reference.md`) includes a `file_urls` parameter, allowing the agent to read arbitrary files and pass their content to an LLM, which is a critical information disclosure risk via prompt injection against the agent itself. These powerful capabilities, while potentially necessary for the skill's stated purpose, lack robust, unbypassable safeguards against a malicious user.