constructive-functions
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The Direct Database Access section of the documentation provides a code template that directly executes a raw SQL query provided in the function's input parameters. This pattern creates a high-risk surface for SQL injection where an attacker could execute arbitrary database commands. Evidence: In SKILL.md, the sample code uses
const { query } = params;followed byawait pool.query(query);without any sanitization or parameterization.- [EXTERNAL_DOWNLOADS]: The skill documentation includes examples for installing several Node.js dependencies, primarily from the @constructive-io and @pgpmjs namespaces, which are associated with the platform vendor. These are used for builds, tests, and database environment management.
Audit Metadata