transforming-data
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-severity attack surface for indirect prompt injection due to its core function of processing untrusted data with side-effect capabilities.
- Ingestion points: The 'airflow-data-pipeline.py' script reads data from 's3://raw-data/sales.csv'. Multiple other example scripts read from local CSV files that would be provided by users or external systems.
- Boundary markers: No delimiters or instructions to ignore embedded commands are used when processing the data in the provided scripts.
- Capability inventory: The Airflow DAG can send Slack messages via 'SlackWebhookOperator', trigger dbt Cloud jobs via 'DbtCloudRunJobOperator', and write to S3 buckets.
- Sanitization: No sanitization or validation of the content within the data files is performed before it influences downstream actions or notifications.
- [Command Execution] (MEDIUM): Path traversal vulnerability in 'scripts/generate_dbt_models.py'. The script accepts a '--name' argument which is used to construct a filesystem path without any validation or sanitization. Evidence: 'file_path = model_dir / f{name}.sql' allows an attacker to use '../' sequences to write files to unintended directories.
- [Dynamic Execution] (LOW): The 'scripts/generate_dbt_models.py' script generates boilerplate SQL code based on predefined templates. While this uses static templates, the lack of input validation for the file names is a violation of best practices.
Recommendations
- AI detected serious security threats
Audit Metadata