query-metrics
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection. It ingests data from Axiom MetricsDB, specifically metric names, tags, and tag values, which are often populated from distributed application telemetry.
- Ingestion points: Untrusted data enters the context via
scripts/metrics-info(discovering tags/values) andscripts/metrics-spec(query documentation). - Boundary markers: None are specified in the instructions to prevent the agent from interpreting data as instructions.
- Capability inventory: The skill includes
scripts/axiom-apifor low-level authenticated API calls and several scripts that execute shell commands usingcurlandjq. - Sanitization: No sanitization or validation of the retrieved telemetry data is mentioned.
- [COMMAND_EXECUTION] (HIGH): The core functionality depends on executing local shell scripts (
scripts/setup,scripts/metrics-query,scripts/metrics-info,scripts/axiom-api). These scripts have access to the local environment and the network. - [DATA_EXFILTRATION] (MEDIUM): The skill requires a Personal Access Token stored in
~/.axiom.toml. Thescripts/axiom-apitool allows the agent to make arbitrary authenticated requests to the Axiom API. If the agent is manipulated via indirect injection, this capability could be used to exfiltrate sensitive telemetry data or modify organization settings. - [EXTERNAL_DOWNLOADS] (LOW): The skill is installed from
axiomhq/skillsusingampornpx. While Axiom is a known provider, this involves downloading and executing remote scripts. Per [TRUST-SCOPE-RULE], this is noted as LOW/INFO because the source is specific, but it does not mitigate the high-severity behavior of the code itself.
Recommendations
- AI detected serious security threats
Audit Metadata