database-administrator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Privilege Escalation] (HIGH): The skill extensively uses
sudofor system management, giving the agent administrative control over the host. - Evidence in
REFERENCE.md: The deployment workflow includessudo apt install,sudo pip3 install, andsudo systemctlcommands. - [Persistence Mechanisms] (HIGH): The skill creates automated tasks that persist across sessions.
- Evidence in
REFERENCE.md: Instructions include setting up a recurring backup task viaecho "..." | sudo crontab -. - [Indirect Prompt Injection] (HIGH): The skill processes data from database outputs while possessing high-privilege system capabilities, without boundary markers or sanitization.
- Ingestion points: Database query results,
EXPLAIN ANALYZEplans, and log files inEXAMPLES.mdandREFERENCE.md. - Boundary markers: Absent; no delimiters are used to separate untrusted database content from agent instructions.
- Capability inventory: Root-level execution via
sudo, file deletion viarm -rf, and network access viaaws s3. - Sanitization: Absent; variable paths and database-derived strings are used directly in shell commands.
- [Command Execution] (HIGH): Example scripts utilize destructive commands on dynamic paths, posing a risk of arbitrary file deletion.
- Evidence in
EXAMPLES.md: The backup verification script executesrm -rf $TEST_DIR. If$TEST_DIRis manipulated or incorrectly defined, it can lead to system-wide data loss. - [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill performs unpinned and unverified package installations at runtime.
- Evidence in
REFERENCE.md: The installation steps usesudo pip3 install patroni[etcd], which fetches code from public repositories without integrity checks.
Recommendations
- AI detected serious security threats
Audit Metadata