dead_letter_queue
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill captures and persists 'args' and 'kwargs' from failed Celery tasks directly into the 'dead_letter_queue' database table. In a Know Your Customer (KYC) context, these fields often contain sensitive personally identifiable information (PII) or biometric references. The implementation lacks automated sanitization or encryption before storage, and the provided API endpoint ('/dlq/entries') returns this raw data, potentially exposing sensitive information.
- [REMOTE_CODE_EXECUTION]: The 'reprocess_entry' functionality uses 'celery_app.send_task' with the task name and arguments retrieved directly from the database. This enables dynamic loading and execution of internal tasks. If the database entries are manipulated by an attacker or if the API endpoint lacks strict authorization, this mechanism could be used to trigger unauthorized internal workflows or execute code with malicious parameters.
- [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection by storing untrusted data from failed tasks for later administrative review or reprocessing.
- Ingestion points: Raw task arguments ingested via the 'handle_task_failure' signal handler and the 'list_dlq_entries' API route.
- Boundary markers: None implemented in the provided code snippets to distinguish between trusted instructions and untrusted data.
- Capability inventory: The system provides a 'reprocess_entry' capability that executes internal tasks based on stored data.
- Sanitization: No validation, escaping, or filtering is performed on the task arguments before they are persisted or used in the 'send_task' function.
Audit Metadata