databricks-testing
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute arbitrary code (Python and SQL) on remote Databricks clusters using MCP Command Execution tools.
- [COMMAND_EXECUTION]: The 'Execution Rules' section explicitly mandates that commands should run automatically without seeking user confirmation, which removes the human-in-the-loop and increases the risk of the agent executing destructive or unauthorized operations if influenced by malicious input.
- [REMOTE_CODE_EXECUTION]: The skill facilitates the generation and execution of code on external infrastructure (Databricks), which is a high-privilege capability involving remote environments.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes untrusted data and translates it into executable commands.
- Ingestion points: User-provided code snippets and data fetched from Databricks tables during debugging or validation tasks (SKILL.md).
- Boundary markers: Absent; there are no instructions provided to separate data from instructions or to treat cluster output as untrusted.
- Capability inventory: Arbitrary Python and SQL execution on Databricks clusters via
databricks_commandandexecute_command_with_context(SKILL.md). - Sanitization: Absent; the instructions direct the agent to re-run fixed code based on cluster errors without validation or sanitization of the generated logic.
Audit Metadata