attach-db
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via database metadata.\n
- Ingestion points: Table names are retrieved from the database using the
duckdb_tables()function in Step 4 of SKILL.md.\n - Boundary markers: No delimiters or protective warnings are used when these table names are interpolated into subsequent SQL commands.\n
- Capability inventory: The skill possesses the ability to execute arbitrary SQL and Bash commands.\n
- Sanitization: No escaping or validation is performed on the retrieved table names before they are used in
DESCRIBEorSELECT count()operations.\n- [COMMAND_EXECUTION]: The skill dynamically generates and executes SQL by appending user-provided content to a local initialization file.\n - Evidence: In Step 6, the absolute path of the database is interpolated into an
ATTACHstatement withinstate.sql. Paths containing SQL metacharacters (e.g., single quotes) could trigger unintended SQL execution when the file is used for session initialization.\n- [COMMAND_EXECUTION]: The skill performs persistent configuration changes, including creating directories in the user's home directory and appending the.duckdb-skills/directory to the project's.gitignorefile.
Audit Metadata