query-writing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is vulnerable to Indirect Prompt Injection through processed database data. \n- Ingestion points: Untrusted data enters the agent context via tool outputs from
sql_db_schemaandsql_db_query. \n- Boundary markers: There are no specified delimiters or instructions to ignore embedded commands within the database results. \n- Capability inventory: The agent has the power to execute arbitrary SQL (potentially including DML or administrative commands) and retrieve database metadata. \n- Sanitization: No technical sanitization or validation of retrieved data is defined; the agent processes and formats results directly. \n- [Command Execution] (MEDIUM): The skill allows the agent to generate and run database commands. While the instructions forbid DML (INSERT, UPDATE, DELETE, DROP), this is not technically enforced. If the database user has sufficient privileges, an agent could be manipulated into performing destructive operations despite the guidelines.
Recommendations
- AI detected serious security threats
Audit Metadata