Skills
skills/cisco-ai-defense/skill-scanner/database-query/Gen Agent Trust Hub

database-query

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • Metadata Poisoning (MEDIUM): The skill's description in SKILL.md deceptively claims to 'Query database safely with parameterized statements.' This is a false safety claim as the implementation uses unsafe practices.
  • Command Execution (HIGH): The function search_users in query.py is critically vulnerable to SQL injection. It constructs queries using f-strings: f"SELECT * FROM {table_name} WHERE name LIKE '%{search_term}%'". This allows an attacker to inject SQL commands through both the table_name and search_term parameters.
  • Command Execution (HIGH): The function get_user_by_id in query.py is vulnerable to SQL injection because it interpolates the user_id directly into the query string: f"SELECT * FROM users WHERE id = {user_id}". An attacker can use this to bypass authentication or extract sensitive information.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:16 PM