creating-dbt-models
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability. The skill ingests untrusted content from database previews and existing project files to inform code generation. Ingestion points: Output of 'dbt show' (database data) and contents of 'dbt_project.yml' or existing SQL models. Boundary markers: None; the agent lacks instructions to disregard commands embedded in the data it processes. Capability inventory: 'dbt build' and 'dbt compile' allow execution of generated code, while 'cat' and 'find' allow file system access. Sanitization: None; the agent directly incorporates patterns from external data into new executable SQL.
- [COMMAND_EXECUTION] (MEDIUM): Execution of dbt and shell commands. The skill's core functionality relies on running CLI tools which, when combined with the lack of input sanitization, provides a path for executing arbitrary database operations or accessing the local filesystem beyond the intended scope.
Recommendations
- AI detected serious security threats
Audit Metadata