lakebase-autoscale
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill provides a significant attack surface for indirect prompt injection due to its integration with external data and high-impact capabilities.
- Ingestion points: Data enters the context via Delta Lake table names in reverse-etl.md and resource identifiers in projects.md and branches.md.
- Boundary markers: No delimiters or ignore-embedded-instruction warnings are present in the provided patterns.
- Capability inventory: The skill can permanently delete projects (w.postgres.delete_project), delete branches (w.postgres.delete_branch), and modify compute resources.
- Sanitization: Code examples do not demonstrate validation or escaping for resource identifiers before using them in API calls.
- [Command Execution] (MEDIUM): A DNS resolution workaround in connection-patterns.md invokes a system command using unvalidated input.
- Evidence: The resolve_hostname function uses subprocess.run(["dig", "+short", hostname]). This introduces a command injection risk if the hostname variable is influenced by untrusted external sources.
- [Unverifiable Dependencies] (MEDIUM): The skill relies on libraries from sources not explicitly listed as trusted.
- Evidence: Usage of databricks-sdk and psycopg. While standard for this context, they fall outside the predefined trusted scope.
Recommendations
- AI detected serious security threats
Audit Metadata