googlebigquery-automation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process data from external databases (BigQuery) through Metabase.
- Ingestion points: SQL query results from
METABASE_POST_API_DATASETand schema metadata fromMETABASE_GET_API_DATABASE_ID_METADATA. - Boundary markers: None specified. Results are described as deeply nested objects that the agent must parse.
- Capability inventory: High-privilege capabilities including execution of arbitrary native SQL queries via
METABASE_POST_API_DATASET(type: native). - Sanitization: No evidence of sanitization or filtering for the data returned from the database. If the database contains malicious instructions (e.g., in user-generated content tables), the agent could be manipulated into executing unauthorized SQL commands or leaking data.
- External Downloads/Remote Code Execution (MEDIUM): The skill requires the addition of a third-party MCP server endpoint:
https://rube.app/mcp. - Evidence: Instructions under 'Setup' direct users to add a specific external URL as an MCP server. This endpoint provides the logic for the tools used by the skill.
- Trust Scope:
rube.appis not a recognized trusted source according to the [TRUST-SCOPE-RULE]. This constitutes a dependency on an unverifiable remote source that controls the agent's tool definitions and execution flow. - Command Execution (MEDIUM): The skill facilitates the execution of 'Native SQL Queries'.
- Evidence: The tool
METABASE_POST_API_DATASETallows for raw SQL strings (SELECT * FROM users). While intended for BigQuery, this allows the agent to construct and execute complex logic that could be abused if the prompt is subverted.
Recommendations
- AI detected serious security threats
Audit Metadata