elasticsearch
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The documentation contains numerous examples of shell-based commands using a utility named
es(e.g., inreferences/search-api.mdandreferences/cluster-api.md). While these are standard for reference material, an agent following these patterns could execute destructive commands like index deletion (es "temp-*" -XDELETE) if not properly constrained. - [DATA_EXFILTRATION] (LOW): The
_reindexAPI reference (references/index-api.md) includes an example of a "Remote reindex" targetinghttps://other-cluster:9200. This functionality allows data to be transferred to external network hosts, which could be abused to exfiltrate database contents to an attacker-controlled instance. - [DYNAMIC_EXECUTION] (LOW): Multiple files (e.g.,
references/aggregations.md,references/query-dsl.md) provide examples of using Elasticsearch Painless scripts. Although Painless is a sandboxed language, the ability to generate and execute dynamic code at runtime is a significant attack surface. - [INDIRECT_PROMPT_INJECTION] (LOW): The documentation describes the use of
query_stringandscriptqueries which are known vectors for injection if untrusted user input is interpolated into the query bodies without sanitization. (Ingestion point: Processed search results; Capability: Data modification and deletion; Sanitization: The documentation explicitly suggestssimple_query_stringas a safer alternative).
Audit Metadata