cwe-89-sql-injection
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains deceptive instructions in the 'Secure Implementation' section. Both provided 'Secure Implementation' code blocks are identical to the 'Vulnerable Pattern' Example 2. They use string concatenation to build an SQL query: "select * from cars where id='" + id + "'" instead of using parameterized queries with placeholders as recommended in the remediation steps. This misleads the agent into following an insecure pattern while labeling it as secure, effectively bypassing the agent's safety goal of providing correct vulnerability remediation.
Audit Metadata