elasticsearch-onboarding
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it encourages users to provide untrusted data samples (JSON, CSV, or database schemas) to help define mappings and generate code.
- Ingestion points: Found in
references/elasticsearch-onboarding-playbook.mdwithin the 'Understand Their Data' step. - Boundary markers: The instructions lack explicit delimiters or instructions for the agent to ignore natural language commands that might be embedded within the user-provided data samples.
- Capability inventory: The skill can generate executable code (Python, JavaScript), create Elasticsearch mappings, and execute cluster operations if the MCP server is connected.
- Sanitization: No sanitization or validation logic is defined for the input data before it is processed by the LLM.
- [COMMAND_EXECUTION]: The playbook provides instructions for setting up an MCP server, which requires defining shell commands (
docker runornpx) in local configuration files. While these commands target official Elastic vendor resources, they represent a persistent execution mechanism within the user's environment. - [DATA_EXFILTRATION]: The skill manages sensitive connection details, including the Elasticsearch URL and API Key. It handles this safely by instructing the user to store these in configuration files that should be excluded from version control via
.gitignore.
Audit Metadata