ckan-mcp
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted metadata (titles, descriptions, notes) and dataset content from third-party CKAN portals. Ingestion points: Dataset metadata returned by ckan_package_search and ckan_package_show in SKILL.md. Boundary markers: Includes a text-based warning in the Security section of SKILL.md, but no programmatic boundary markers or delimiters are enforced. Capability inventory: Shell execution of curl and duckdb, plus SPARQL and SQL query tools. Sanitization: No explicit sanitization or escaping of dataset metadata is performed before it is presented to the agent.
- [COMMAND_EXECUTION]: The skill executes shell commands using curl and duckdb. curl is used to fetch data from remote APIs (data.europa.eu, dati.gov.it), and duckdb is used to query remote files (CSV, JSON, Parquet). If an attacker influences the URLs found in dataset metadata, it could lead to probing of network resources or exploitation of the underlying tools.
Audit Metadata