query-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection through user-provided natural language questions.
- Ingestion points:
SKILL.mddefines user questions (e.g., 'show me users') as the primary trigger. - Boundary markers: Absent. There are no delimiters or specific instructions to treat the natural language input as untrusted data.
- Capability inventory: The
whodb_queryfunction allows the execution of arbitrary SQL commands on the connected database. - Sanitization: The 'Safety Rules' section provides instructions to avoid destructive operations like
DELETEorDROP, but explicitly allows them if 'requested', which an attacker can easily exploit. - Data Exfiltration (LOW): The skill's primary purpose is to read data from a database and present it to the user.
- Evidence: The workflow uses
whodb_tables,whodb_columns, andwhodb_queryto extract schema and record information. - Risk: If the database contains sensitive information, the skill provides a direct path for an unauthorized user to query and extract that data through natural language requests.
- Command Execution (LOW): The skill performs dynamic code generation and execution in the form of SQL.
- Evidence: The workflow assembles SQL strings based on user intent and executes them using
whodb_query(query="generated SQL"). - Context: While this is the intended purpose of the skill, the lack of parameterization or a hardened execution environment for the generated SQL poses a security risk.
Audit Metadata