tidewave-integration
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill instructs the agent to automatically query and process runtime state at various workflow checkpoints, which involves ingesting potentially untrusted data. * Ingestion points: Application logs (via mcp__tidewave__get_logs) and database contents (via mcp__tidewave__execute_sql_query). * Boundary markers: None. The instructions do not specify the use of delimiters or warnings to ignore embedded instructions in the ingested data. * Capability inventory: Access to arbitrary Elixir code execution (mcp__tidewave__project_eval), SQL execution (mcp__tidewave__execute_sql_query), and browser JavaScript evaluation (mcp__Tidewave-Web__browser_eval). * Sanitization: No sanitization or filtering of ingested data is mentioned before it is processed by the agent.
- [COMMAND_EXECUTION]: Arbitrary code and query execution capabilities. The skill provides tools for executing Elixir code and SQL queries directly within the application context. * Evidence: The mcp__tidewave__project_eval tool is used to run arbitrary Elixir code, as seen in examples for testing functions and inspecting process state in references/tool-examples.md. * Evidence: The mcp__tidewave__execute_sql_query tool allows running any SQL command against the development database.
- [DATA_EXFILTRATION]: Access to sensitive runtime data. The skill facilitates reading information that could contain sensitive data or credentials. * Evidence: The mcp__tidewave__get_logs tool provides access to application logs, which often contain PII or session data. * Evidence: The mcp__tidewave__project_eval tool is used to inspect application configuration (Application.get_env) and live process state (:sys.get_state).
Audit Metadata