ai-data-integration-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill architecture creates a significant surface for Indirect Prompt Injection (Category 8) by translating untrusted natural language into executable SQL commands. * Ingestion points: Ingests user-provided natural language queries through the run_query tool and processes unstructured text records for classification in llm-transform-patterns.md. * Boundary markers: Lacks robust instruction-data delimiters; relies on validation logic that may be bypassed by adversarial prompt engineering. * Capability inventory: Includes high-privilege capabilities such as cursor.execute() for warehouse queries, file system writing for local caching, and remote API communication. * Sanitization: Implements sqlglot and keyword-based filtering (validate_query), providing protection against basic errors but insufficient defense against logical injections that remain valid SQL.
- [COMMAND_EXECUTION] (HIGH): The mcp-data-patterns.md reference provides code for a tool that dynamically executes generated SQL strings, creating a direct pathway for executing AI-controlled logic on sensitive data infrastructure.
- [DATA_EXFILTRATION] (MEDIUM): The patterns facilitate the extraction of entire database schemas and record batches. This capability, combined with potential prompt injection, allows for the exfiltration of sensitive organizational data to external AI models or attackers.
Recommendations
- AI detected serious security threats
Audit Metadata