Skills
skills/feed-mob/agent-skills/civitai-analyst/Gen Agent Trust Hub

civitai-analyst

Fail

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: CRITICALDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis

================================================================================

🔴 VERDICT: CRITICAL

This skill poses a CRITICAL security risk primarily due to its reliance on an unverified, custom external HTTP endpoint for its core functionality. All database queries and their results are transmitted to and from this endpoint. The database schema includes potentially sensitive information (e.g., audit logs, user-generated prompts). If the external server is malicious or compromised, or if the AI generates malicious SQL, this could lead to unauthorized data exfiltration or unintended command execution. The authorization token is also sent to this untrusted endpoint.

Total Findings: 5

🔴 CRITICAL Findings: • Data Exfiltration to Untrusted Endpoint

  • Line 4 in .mcp.json: The skill's core functionality involves connecting to a custom HTTP endpoint (https://n8n-ock80s0oowgc4cws8g0o48sk.18.191.220.185.sslip.io/mcp/8fe59958-c0d9-4777-847c-0887913c84fc) which is not a trusted source. All SQL queries generated by the LLM and the results from the database will be sent to/from this endpoint. The database schema (references/schema.md) contains tables like civitai.events (audit log) and civitai.prompts (user-generated prompts) which could hold sensitive or proprietary information. If the LLM is prompted to query these tables, and the data is transmitted to this untrusted external server, it constitutes a critical data exfiltration risk. • Credentials Sent to Untrusted Endpoint
  • Line 5 in .mcp.json: The CIVITAI_RECORD_MCP_SERVER_TOKEN is used for authorization to the custom, untrusted HTTP endpoint. While stored as an environment variable (good practice for secrets management), the token itself is sent to an endpoint whose trustworthiness cannot be verified, posing a risk of credential compromise if the endpoint is malicious.

🟡 MEDIUM Findings: • Unverifiable External Dependency (Custom MCP Server)

  • Line 4 in .mcp.json: The civitai_records MCP server is configured to connect to a custom HTTP endpoint (https://n8n-ock80s0oowgc4cws8g0o48sk.18.191.220.185.sslip.io/mcp/8fe59958-c0d9-4777-847c-0887913c84fc). This is an external dependency that cannot be fully verified by analyzing the skill files alone. The sslip.io domain points to a generic AWS EC2 IP address, indicating a custom, unmanaged server. This introduces a significant trust boundary and potential for malicious behavior outside the scope of this analysis. • Potential for Indirect Command Execution (SQL Injection)
  • Line 29 in SKILL.md: The skill generates and executes SQL queries based on natural language input. While the provided SQL templates are benign SELECT statements, the LLM's ability to generate arbitrary SQL and send it to the query_civitai_db tool introduces a risk of SQL injection. If the query_civitai_db tool or the backend database does not have robust validation and permission controls, a malicious prompt could lead to unintended database operations (e.g., DROP TABLE, UPDATE, DELETE, or unauthorized SELECT statements).

🔵 LOW Findings: • External Download from Trusted Source (Tailwind CSS CDN)

  • Line 10 in references/report-templates.md: The HTML report template references https://cdn.tailwindcss.com. This is a well-known and trusted Content Delivery Network for Tailwind CSS. This is noted as an external dependency but is considered low risk due to the trusted nature of the source.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 13, 2026, 07:22 AM