clickhouse-query
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill promotes the use of
npx @obsessiondb/chcliandbunx @obsessiondb/chcli. This pattern downloads and executes code from the npm registry at runtime. Since 'obsessiondb' is not a trusted organization or repository, this represents the execution of unverifiable third-party code. - COMMAND_EXECUTION (LOW): The skill requests permission to execute
Bashcommands for database operations. While this is the primary purpose of the skill, it allows for arbitrary SQL execution which could be leveraged if the agent is manipulated. - Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from external database queries without sufficient safeguards.
- Ingestion points: SQL query results returned to the agent's context via stdout.
- Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore instructions embedded within the query results.
- Capability inventory: The skill possesses the
Bash(command execution) andWrite(file system modification) capabilities. - Sanitization: Absent. There is no evidence of filtering or sanitizing database output before it is processed by the LLM.
- CREDENTIALS_UNSAFE (LOW): The skill handles
CLICKHOUSE_PASSWORD. While it recommends best practices like environment variables and secret managers (Doppler), it also allows passing passwords via CLI flags, which can expose credentials in process listings (e.g.,ps aux).
Audit Metadata