nl-sql-query
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): This skill exhibits a significant attack surface by translating natural language into executable SQL commands. An attacker can craft a query that tricks the model into generating destructive or exfiltrating SQL.
- Ingestion points: User-provided natural language questions and the database schema from
cdm_store.db(referenced inSKILL.md). - Boundary markers: Absent; the instructions do not specify any delimiters or safety prompts to prevent the LLM from obeying instructions embedded in the user input.
- Capability inventory: The skill executes generated SQL against a DuckDB database, which includes the capability to read/write local files and manage database state (
nl_sql_query.py). - Sanitization: None; the implementation relies entirely on the LLM's output without validation or a restricted/read-only SQL environment.
- [COMMAND_EXECUTION] (HIGH): The skill uses a Python script (
nl_sql_query.py) and a command runner (just) to execute generated SQL. This allows for unintended side effects on the local system, as DuckDB allows file system interactions through various functions. - [DATA_EXFILTRATION] (MEDIUM): Maliciously crafted SQL could be used to read sensitive system files (e.g., via DuckDB's
read_csvfunction) and return their contents as 'query results' to the user. - [CREDENTIALS_UNSAFE] (LOW): The skill requires an
ANTHROPIC_API_KEY. While it correctly uses environment variables, theINSTALLATION.mdguide suggests echoing the key directly into shell profiles, which is a poor security practice that leaves the key in command history files.
Recommendations
- AI detected serious security threats
Audit Metadata