metabase-database-metadata
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a Bash script (
scripts/fetch-metadata.sh) and multiple shell commands (tar,find,rm,mkdir) to manage metadata archives downloaded from the network. - [PROMPT_INJECTION]: An indirect prompt injection surface exists as the agent is instructed to read and process YAML files fetched from a remote Metabase instance to understand the data model.
- Ingestion points: YAML metadata files stored in the
.metadata_cache/databases/directory after being fetched from the remote Metabase URL. - Boundary markers: Absent. The skill does not define delimiters or instructions for the agent to ignore potentially malicious instructions embedded in the metadata.
- Capability inventory: The agent has access to
Bash,Write,Edit, andWebFetchtools, which could be exploited if malicious content is processed. - Sanitization: No validation or sanitization is performed on the remote YAML content before it enters the agent's context.
- [COMMAND_EXECUTION]: The
SKILL.mdfile contains the!command syntax (! bash ...) which can trigger shell execution at the moment the skill is loaded on supported platforms. - [EXTERNAL_DOWNLOADS]: The skill facilitates the download of a compressed archive (
.tar.gz) from a user-provided Metabase URL, which is then extracted and processed locally.
Audit Metadata