refactoring-dbt-models
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill reads repository SQL files and uses their content to guide its logic. Because the agent has the capability to modify the codebase and execute database queries via dbt, an attacker could embed malicious instructions in SQL comments to hijack the agent's behavior. Ingestion points: Steps 1 and 3 read SQL files via cat and grep. Boundary markers: Absent; there are no instructions to delimit content or ignore natural language commands within files. Capability inventory: File writing in models/ and macros/ directories and dbt command execution (build, show, compile). Sanitization: Absent.
- [COMMAND_EXECUTION] (MEDIUM): The skill routinely executes shell commands and dbt CLI operations. While standard for this task, these capabilities are not isolated from the untrusted data being processed, allowing for potential misuse if the agent is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata