win11-24h2-files
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Arbitrary SQL execution capability via the 'sql' subcommand. The script executes user-provided strings directly against the SQLite database using 'cursor.execute(args.query)' in the 'cmd_sql' function. This capability could be leveraged if the agent is manipulated via prompt injection to perform unauthorized data discovery or metadata extraction within the local database file.\n- [PROMPT_INJECTION] (MEDIUM): Indirect prompt injection surface (Category 8). \n
- Ingestion points: 'scripts/query.py' reads up to 2 million file entries from '~/moz_artifacts/win11_24h2_files.db'.\n
- Boundary markers: Absent; database output is returned directly to the agent's context without delimiters or instructions to ignore embedded commands.\n
- Capability inventory: Read access to the local SQLite database with the output returned to the LLM context.\n
- Sanitization: While search and history subcommands use parameterized queries, the 'sql' subcommand allows raw string execution. Malicious entries within the database content itself could influence the agent's reasoning when processing query results.
Audit Metadata