debugger
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is explicitly configured with a
Bashtool and instructs the agent to execute shell commands such asuv run src/component.py,uv sync, anduv run pytest. This allows for arbitrary command execution within the agent's environment. - [REMOTE_CODE_EXECUTION] (HIGH): The skill provides instructions to run
uv sync, which installs dependencies from local project files. If these files (e.g.,pyproject.toml) are controlled by an attacker or belong to a malicious component being debugged, it can lead to the installation and execution of malicious code. Additionally, the instruction to runuv run src/component.pyexecutes the very code the agent is debugging, which is untrusted. - [DATA_EXFILTRATION] (MEDIUM): The file
references/telemetry-debugging.mdcontains detailed Snowflake SQL schemas and queries for accessing internal Keboola telemetry (Project 133). This provides the agent with the ability to query sensitive metadata, includingconfiguration_jsonand job records, across multiple organizational stacks. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection through the analysis of untrusted data.
- Ingestion points: The agent reads job logs via
mcp__keboola__get_job, configuration data viamcp__keboola__get_config, and database records viaquery_data(Snowflake). - Boundary markers: Absent. The skill lacks instructions to treat external data as untrusted or to ignore embedded commands.
- Capability inventory: The agent has access to
Bash(command execution),Read(filesystem access), andmcp__keboola__run_job(triggering remote actions). - Sanitization: Absent. External data is used directly to determine debugging steps and fixes.
Recommendations
- AI detected serious security threats
Audit Metadata