Skills
skills/arman-kudaibergenov/1c-ai-development-kit/db-update/Gen Agent Trust Hub

db-update

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The PowerShell script scripts/db-update.ps1 accepts a -Password parameter and explicitly prints it to the standard output using the command Write-Host "Running: 1cv8.exe $($arguments -join ' ')". This behavior exposes sensitive credentials in logs and console output.
  • [COMMAND_EXECUTION]: The skill uses powershell.exe to execute a local script that subsequently invokes the 1C Enterprise platform executable (1cv8.exe) via Start-Process. Arguments for this execution are dynamically constructed from user input and the .v8-project.json configuration file.
  • [PROMPT_INJECTION]: The skill instructions in SKILL.md require the agent to parse a local configuration file (.v8-project.json) and use its values (such as v8path and database connection strings) to construct command-line arguments. If this file is modified by an attacker in a shared repository, it could lead to indirect injection of malicious arguments into the PowerShell script.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 10:15 AM