sql-executor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is a direct interface for SQL execution that lacks sanitization, making it vulnerable to Indirect Prompt Injection (SQL injection) if an agent derives queries from untrusted sources. Ingestion points: 'scripts/sql_executor.py' accepts queries via the 'query' positional argument or the '--file' parameter. Boundary markers: None present. Capability inventory: Full read/write access to any SQLite database reachable by the file system, and the ability to write query results to arbitrary local paths via the '--output' flag. Sanitization: None; the script uses 'cursor.execute(query)' directly.
- COMMAND_EXECUTION (HIGH): Provides an unrestricted interface for arbitrary SQL execution, which can be used to modify or delete data (UPDATE/DELETE) or destroy database structures (DROP) if used by an agent with access to sensitive databases.
- Metadata Poisoning (MEDIUM): The 'SKILL.md' file claims support for PostgreSQL and MySQL, but the implementation in 'scripts/sql_executor.py' only supports SQLite. This mismatch is deceptive regarding the tool's actual capabilities and security scope.
- DATA_EXFILTRATION (LOW): The tool's capability to export database contents to local files could be used to expose sensitive data if an agent is manipulated into writing results to accessible directories.
Recommendations
- AI detected serious security threats
Audit Metadata