sqlite-tools
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill enables the agent to read and manipulate SQLite databases. The documentation in SKILL.md and references/common_queries.md explicitly mentions compatibility with and provides examples for querying sensitive application databases like 'state.vscdb' (VS Code state database). Accessing such files can expose session tokens, configuration, and other private application data.
- [COMMAND_EXECUTION]: The script 'scripts/sqlite_query.py' is designed to execute arbitrary SQL queries passed via the '--query' command-line argument. While this is the intended functionality of the tool, it grants the agent broad power to modify or delete data within any SQLite file it can access.
- [COMMAND_EXECUTION]: Several scripts, including 'scripts/sqlite_schema.py' and 'scripts/sqlite_tables.py', use f-string interpolation to construct SQL queries (e.g., in PRAGMA statements or COUNT queries). This practice is vulnerable to SQL injection if the table or database names are provided by an untrusted source, as it bypasses standard parameterization.
- [PROMPT_INJECTION]: The skill processes data from external database files which constitutes an indirect prompt injection surface.
- Ingestion points: Data is read from SQLite database files through all provided scripts, particularly 'sqlite_query.py'.
- Boundary markers: No delimiters or safety instructions are used to separate database content from agent instructions in the output.
- Capability inventory: The skill can read from and write to the filesystem (via SQLite) but lacks direct network access or shell execution.
- Sanitization: The scripts do not sanitize or validate the content of the database rows before returning them to the agent.
Audit Metadata