databases
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute system-level commands with superuser privileges.
- Evidence: Found
sudo apt-get install postgresql postgresql-contribandsudo systemctl start postgresqlin the PostgreSQL setup section ofSKILL.md. - Risk: Granting an agent
sudoaccess allows for full system compromise, unauthorized software installation, and persistence. - [PROMPT_INJECTION] (HIGH): The skill exhibits a significant Indirect Prompt Injection attack surface (Category 8).
- Ingestion points: The skill is designed to read data from external sources (MongoDB and PostgreSQL databases) via commands like
db.users.find()andSELECT * FROM users. - Boundary markers: Absent. There are no instructions or delimiters provided to the agent to treat database content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill possesses high-risk capabilities including shell access via
psqlandmongosh, as well as Python script execution for migrations and backups. - Sanitization: Absent. There is no evidence of output sanitization or validation for data retrieved from the databases before it is processed or used in further commands.
- Risk: An attacker could place malicious instructions inside a database field. When the agent reads this record, it could be coerced into executing arbitrary SQL, exfiltrating data, or modifying the system via the provided Python utility scripts.
Recommendations
- AI detected serious security threats
Audit Metadata