databricks-agent-bricks
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill architecture presents an indirect prompt injection surface as it is designed to process untrusted data from external sources.\n
- Ingestion points: Knowledge Assistants (KA) index documents and example JSON files from Unity Catalog Volumes, while Supervisor Agents (MAS) ingest data from external MCP servers via HTTP connections.\n
- Boundary markers: The skill does not define explicit delimiters or instructions to ignore embedded commands within the ingested documents or external tool responses.\n
- Capability inventory: The skill tools (manage_ka, manage_mas) have the ability to create, update, and manage model serving endpoints and execute Unity Catalog functions.\n
- Sanitization: There is no evidence of sanitization, validation, or filtering of the content retrieved from external files or MCP server endpoints before it is presented to the agent.\n- [EXTERNAL_DOWNLOADS]: The skill documentation describes the integration with external MCP (Model Context Protocol) servers.\n
- Evidence: It provides instructions for setting up Unity Catalog HTTP connections to point to external JSON-RPC endpoints, enabling the agent to interact with external systems.
Audit Metadata