Skills
skills/canner/wren-engine/wren-usage/Gen Agent Trust Hub

wren-usage

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses the sensitive local configuration file ~/.wren/profiles.yml to retrieve database connection profiles and datasource hints. This file typically contains sensitive credentials and connection strings.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the wren context instructions command.
  • Ingestion points: Data retrieved from wren context instructions in SKILL.md is treated as high-priority instructions by the agent.
  • Boundary markers: Absent; the skill explicitly directs the agent to treat this output as rules that override existing defaults.
  • Capability inventory: The skill possesses the ability to execute SQL queries, access local configuration files, and install Python packages via pip.
  • Sanitization: Absent; there is no validation or filtering of the content returned by the tool before it is adopted as instructions.
  • [COMMAND_EXECUTION]: The skill relies on shell command execution for its core functionality, including the wren CLI and python scripts. It interpolates user-provided questions into shell commands, which presents a risk of command injection if the input is not sanitized.
  • [EXTERNAL_DOWNLOADS]: The skill fetches a versions.json file from the Canner organization's GitHub repository to check for updates.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 01:02 PM