databricks-serverless-migration
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary workflow involves reading and analyzing untrusted user content (Databricks notebooks, scripts, and configuration files). Maliciously crafted comments or code within these files could potentially influence the agent's logic during the migration process.
- Ingestion points: Notebooks and source files referenced by the migration target (SKILL.md, Step 2).
- Boundary markers: No explicit delimiters or instructions to ignore embedded instructions are specified when reading external files.
- Capability inventory: The skill can create and update Databricks jobs, execute CLI commands, and write files to the local home directory.
- Sanitization: There is no mention of sanitizing or escaping the content of ingested files before they are processed or used to generate new code.
- [COMMAND_EXECUTION]: The skill's instructions require the agent to execute shell commands using the Databricks CLI (e.g.,
databricks account network-connectivity create,databricks jobs update) and utilize the Databricks SDK for Python to perform infrastructure migration tasks. - [DATA_EXPOSURE]: The 'Failure Reporting Protocol' in SKILL.md directs the agent to write structured JSON diagnostic reports to the local filesystem (
~/.databricks-migration-skill/reports/). While the protocol includes anonymization measures (hashing stack traces, forbidding PII) and is intended for user-controlled debugging, it results in the storage of environment and activity metadata on the local disk.
Audit Metadata