smart-data-query
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The instructions in 'references/日志与迭代机制.md' direct the agent to execute shell commands incorporating raw user feedback (e.g., 'python3 scripts/log_qa.py ... --feedback "<原因>"'). If the agent interpolates user-provided text directly into the shell string without sanitization, an attacker could execute arbitrary commands by including shell metacharacters (e.g., ';', '&', '|') in their feedback.
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection as it ingests untrusted business requirements and user feedback. Ingestion points: User-provided requirement text and feedback strings enter the agent's context through 'SKILL.md' and 'references/日志与迭代机制.md'. Boundary markers: None. The instructions do not specify delimiters or safety warnings for handling external data. Capability inventory: The skill has the capability to execute several local Python scripts via system calls. Sanitization: None. There are no instructions for validating or escaping user input before it is used as a command-line argument.
- SAFE (SAFE): The 'SKILL.md' file includes a 'Guards' section that explicitly prohibits the generation of destructive SQL statements such as DROP, TRUNCATE, and DELETE, which helps prevent accidental or malicious database modifications.
Audit Metadata