wren-usage
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches a version configuration file from the author's official GitHub repository (Canner) to check for updates. This is a standard vendor-provided functionality for skill maintenance.
- [COMMAND_EXECUTION]: The skill frequently uses shell commands to interact with the
wrenCLI and Python for environment verification. These operations are core to the skill's intended purpose of managing data projects and executing SQL. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection via the
wren context instructionscommand. It instructs the agent to treat the output of this command as overriding rules for the session, which could be exploited if an attacker modifies the project's instruction files. - Ingestion points: The agent ingests data from the
wren context instructionscommand output, which is derived from project-specific local configuration. - Boundary markers: No delimiters or isolation markers are specified for the instructions returned by the CLI.
- Capability inventory: The agent has the capability to execute shell commands, read local files, and perform database operations through the
wrenCLI. - Sanitization: There is no evidence of sanitization or filtering of the instructions before they are applied as session rules.
Audit Metadata