civitai-analyst

The skill's functionality (NL→SQL analytics for Civitai videos) is legitimate and useful, but the current specification lacks critical security controls. The main risks are SQL injection and information leakage via raw error messages, unconstrained SQL execution, and exposure of internal IDs/PII in reports or logs. No explicit signs of malware or obfuscation appear in the provided text, but the ability to synthesize and execute arbitrary SQL from user input makes deployment without hardened controls potentially dangerous. Implement parameterized queries, least-privilege DB roles, template allowlists, error sanitization, and output redaction before enabling execution in production.