text-to-sql
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes local Python scripts (
db_extractor.py,query_runner.py,init_project.py) to manage the project lifecycle. Inlist_databases.py,subprocess.runis used to trigger schema extraction. Sinceshell=Trueis not used, the risk of command injection via shell metacharacters is mitigated. - [CREDENTIALS_UNSAFE] (LOW): The skill requires users to store sensitive database credentials (host, user, password) in a local
.envfile. This is a common but inherently sensitive practice for local database tools. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill is a target for indirect prompt injection because it transforms untrusted natural language input into executable SQL code.
- Ingestion points: Natural language questions provided by the user (e.g., in SKILL.md Phase 2).
- Boundary markers: No explicit delimiters or 'ignore' instructions are used to wrap the generated SQL or the user's intent.
- Capability inventory: The skill can execute arbitrary SQL (via
sql_helper.py) and write files to the local disk (output/reports/). - Sanitization: The provided scripts do not perform validation or sanitization of the generated SQL before execution, relying entirely on the LLM's output safety.
- [DATA_EXPOSURE] (LOW): The skill explicitly accesses database files and environment variables to extract schemas and run queries, which is the intended functional behavior.
Audit Metadata