snowflake-semanticview
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection via the ingestion of untrusted database metadata.
- Ingestion points: The workflow explicitly instructs the agent to read Snowflake table, view, and column comments, as well as query table data using
SELECT DISTINCTto identify relationships (Steps 4 and 5). - Boundary markers: There are no instructions to use delimiters or ignore potential commands embedded within the retrieved database comments or data.
- Capability inventory: The skill possesses the capability to execute arbitrary SQL commands via
snow sql(Step 7), which includesCREATE,ALTER, andSELECToperations. - Sanitization: The instructions lack any requirement to sanitize or escape the content retrieved from Snowflake metadata before interpolating it into the final DDL or validation queries, potentially allowing malicious metadata to manipulate the generated SQL.
Audit Metadata