databricks-unity-catalog
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection due to the nature of the data it retrieves.
- Ingestion points: Data is ingested from external files in Volumes (via
read_filesanddownload_from_volume) and from system tables likesystem.access.auditandsystem.query.history, which contain user-controlled strings (e.g., SQL statements, email addresses, and request parameters). - Boundary markers: There are no explicit instructions or delimiters shown to prevent the LLM from following instructions that might be embedded in these data sources.
- Capability inventory: The skill has high-privilege capabilities including SQL execution (
mcp__databricks__execute_sql), file deletion (delete_volume_file), and file uploads (upload_to_volume). - Sanitization: No sanitization or validation of external content is specified before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill includes tools designed for bilateral data movement.
- The
upload_to_volumeanddownload_from_volumefunctions facilitate moving data between the local agent environment and cloud storage, which provides a technical pathway for data exfiltration if the agent's logic is subverted. - [COMMAND_EXECUTION]: The documentation references and demonstrates the use of administrative interfaces.
- It provides examples for using the Databricks CLI and the
databricks-sdkto modify system schemas, grant permissions, and manage storage credentials, which are powerful administrative actions.
Audit Metadata