skills/datadrivenconstruction/ddc_skills_for_ai_agents_in_construction/data-model-designer/Gen Agent Trust Hub
data-model-designer
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted user data (CSV, Excel, JSON) to generate SQL schemas, JSON schemas, and Mermaid diagrams. It lacks input validation or sanitization for entity and field names, allowing for indirect injection where malicious inputs could manipulate the structure of the generated code strings.
- Ingestion points: The
instructions.mdfile specifies that the agent accepts project data via CSV, Excel, or JSON formats. - Boundary markers: None identified in the prompt interpolation process.
- Capability inventory: The skill is limited to string manipulation and data structure generation within
SKILL.md. It does not execute the generated SQL or system commands. - Sanitization: Absent; the
generate_sql_schemaandgenerate_er_diagrammethods inSKILL.mddirectly concatenate field names and descriptions into the output strings.
Audit Metadata