Snowflake Automation
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (LOW): The tool
SNOWFLAKE_EXECUTE_SQLallows for the execution of arbitrary SQL statements, including DDL (Data Definition Language) and DML (Data Manipulation Language). While intended for automation, this provides a powerful interface for data modification. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection. Malicious instructions could be embedded within Snowflake metadata (table/column names) or the data itself (query results), which the agent would ingest when running discovery or search tools.
- Ingestion points: SQL query results and metadata returned by
SNOWFLAKE_SHOW_DATABASES,SNOWFLAKE_SHOW_SCHEMAS, andSNOWFLAKE_SHOW_TABLES. - Boundary markers: None explicitly defined in the skill instructions to separate data from commands.
- Capability inventory: Full SQL execution capabilities (DDL/DML) via
SNOWFLAKE_EXECUTE_SQL. - Sanitization: The documentation correctly advises the use of the
bindingsparameter to mitigate standard SQL injection, but this does not prevent LLM-level indirect prompt injection. - [DATA_EXFILTRATION] (LOW): The skill enables the agent to read and process potentially sensitive corporate data from a Snowflake warehouse, which represents a data exposure surface if the agent is compromised or misused.
- [EXTERNAL_DOWNLOADS] (LOW): The skill relies on an external MCP server hosted at
https://rube.app/mcp, which is not among the predefined trusted GitHub organizations or repositories.
Audit Metadata