neon-instagres
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes unverified code from the public npm registry using
npx get-db. This allows for arbitrary code execution in the user's environment. The risk is significantly increased by the skill's ability to process user-provided SQL files via the--seedflag at runtime.\n- [DATA_EXFILTRATION] (MEDIUM): The skill explicitly reads the sensitive.envfile usingcatandgrep. While it targets theDATABASE_URLkey, this mechanism can be exploited to access and expose other secrets stored in the environment file if the agent's context is manipulated.\n- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data while maintaining system-level capabilities. \n - Ingestion points: Processes
.envfiles andschema.sqlfiles.\n - Boundary markers: None present; there are no delimiters or instructions to ignore embedded commands within the processed files.\n
- Capability inventory: Performs command execution via
bash, remote package execution vianpx, and package installation vianpm install.\n - Sanitization: No validation or sanitization of file content is performed before processing.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): Relies on
npxto fetch and execute packages from the npm registry. Neither the packageget-dbnor the provider 'Neon' are in the strictly defined list of trusted sources.\n- [COMMAND_EXECUTION] (MEDIUM): Extensively usesbashto interact with the local filesystem, environment variables, and external package managers.
Recommendations
- AI detected serious security threats
Audit Metadata