clickhouse-operations
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes multiple scripts and examples that use powerful system commands for database administration.
- The backup and restoration scripts in SKILL.md and examples/scaling-case-studies.md utilize sudo, systemctl, chown, and rsync to manage database services and data files.
- Network diagnostic tools such as ping, mtr, nc, and telnet are included in troubleshooting guides to verify connectivity.
- These commands are consistent with the skill's stated purpose for production management but require high-privilege access.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to read and analyze data from untrusted sources within the database.
- Ingestion points: The monitoring and diagnostic queries in SKILL.md and references/monitoring-queries.md read query text, error messages, and process information from system.query_log, system.processes, and system.errors.
- Boundary markers: The instructions lack delimiters or explicit warnings for the agent to ignore instructions that might be embedded within the database logs (e.g., a malicious user could submit a query containing agent instructions).
- Capability inventory: The agent has access to the Bash tool and is provided with examples for file system modification (rm, rsync), service control (systemctl), and network operations.
- Sanitization: There is no evidence of sanitization or filtering of the content retrieved from ClickHouse system tables before it is processed by the agent.
Audit Metadata