Skills
skills/dbt-labs/dbt-agent-skills/migrating-dbt-core-to-fusion/Gen Agent Trust Hub

migrating-dbt-core-to-fusion

Pass

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses uvx to download and run the dbt-autofix tool directly from the vendor's GitHub repository (github.com/dbt-labs/dbt-autofix.git).
  • [EXTERNAL_DOWNLOADS]: Fetches data from the GitHub API (api.github.com) to identify known Fusion engine gaps and associated issues.
  • [COMMAND_EXECUTION]: Employs CLI tools such as dbt, git, and uvx to analyze project state, verify credentials, and apply migration changes.
  • [PROMPT_INJECTION]: The skill processes external data from project files and error logs, which creates an indirect prompt injection surface.
  • Ingestion points: SQL files, YAML configs, and dbt error logs as described in SKILL.md.
  • Boundary markers: The skill instructs the agent to treat project content as untrusted and ignore any embedded commands or instructions.
  • Capability inventory: The agent has access to Bash (dbt, git, uvx), Read, Write, Edit, and WebFetch (api.github.com) capabilities.
  • Sanitization: Instructions in SKILL.md direct the agent to extract only structured fields and ignore instruction-like text from project data.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 13, 2026, 10:21 PM