read-only-postgres
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [SAFE]: The skill implements multiple defensive layers to ensure database safety. It enforces a read-only session at the driver level using
readonly=True, employs a keyword-based validation logic to block data-modifying SQL commands, and prevents multi-statement queries. It also includes resource limits such as row count caps and statement timeouts to prevent Denial of Service.\n- [COMMAND_EXECUTION]: Provides a Python-based execution environment viascripts/query.pyto perform database introspection and query execution. The script handles connection management, output formatting, and enforces safety constraints before execution.\n- [PROMPT_INJECTION]: Contains instructions in the README that suggest the agent modify its ownSKILL.mdfile based on project-specific context. While intended for customization, this relies on the agent's interpretation of codebase content which could contain malicious instructions (Indirect Prompt Injection surface). \n - Ingestion points: Database query results and schema metadata are read into the agent context via
psycopg2.\n - Boundary markers: Output is formatted as a table; no explicit delimiters or 'ignore' instructions are present for the returned data.\n
- Capability inventory: SQL execution and metadata reading across multiple configured databases.\n
- Sanitization: Strong enforcement of read-only sessions and keyword filtering prevent the agent from being used to write to the database, even if an injection occurs.\n- [CREDENTIALS_UNSAFE]: The skill manages database credentials (host, user, password) stored in a local
connections.jsonfile. It includes proactive security measures such as checking for insecure file permissions (non-600) and sanitizing authentication error messages to prevent credential leakage in logs or outputs.
Audit Metadata