data-analysis
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes a local Python script using the
--sqlflag, which accepts arbitrary SQL strings. This allows for the execution of complex DuckDB logic that can interact with the host filesystem. - [DATA_EXFILTRATION] (HIGH): DuckDB's built-in functions such as
read_csv_auto(),read_parquet(), orglob()can be used within the--sqlparameter to access sensitive system files (e.g., /etc/passwd) if the process has sufficient permissions. - [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. 1. Ingestion points: Untrusted Excel and CSV files uploaded to
/mnt/user-data/uploads/. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the processed data. 3. Capability inventory: Ability to execute arbitrary SQL, read any file via DuckDB, and write output files to arbitrary paths via the--output-fileparameter. 4. Sanitization: Absent; the skill is designed to support arbitrary SQL, making it highly susceptible to malicious payloads embedded in data files that could influence the generated SQL queries. - [DATA_EXFILTRATION] (MEDIUM): The
--output-fileparameter allows the agent to write query results to potentially sensitive locations on the filesystem, which could lead to file overwriting or unauthorized data placement.
Recommendations
- AI detected serious security threats
Audit Metadata