Skills
skills/rohithreddykota/rill-agent-skills/rill-clickhouse/Gen Agent Trust Hub

rill-clickhouse

Warn

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several local commands to manage the environment and perform diagnostics.
  • Runs rill start . --no-ui --no-open --verbose --log-format json which initiates a local server process.
  • Executes rill query with dynamically constructed SQL strings and user-influenced limits, which could be exploited if inputs are not properly sanitized.
  • Instructs users to run npx skills add clickhouse/agent-skills to install external dependencies.
  • [EXTERNAL_DOWNLOADS]: Fetches configuration and rule sets from well-known technology sources.
  • Downloads Rill rule files from official repositories including github.com/rilldata/rill and docs.rilldata.com.
  • References best practice rules from the ClickHouse/agent-skills repository on GitHub.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection via the processing of external data structures.
  • Ingestion points: Reads rill.yaml, model SQL/YAML files, and metadata from source providers like AWS S3 or Google Cloud Storage.
  • Boundary markers: Lacks explicit boundary markers or isolation when processing external source info into model definitions.
  • Capability inventory: Includes file read/write operations, local service execution (rill start), and SQL query execution (rill query).
  • Sanitization: No explicit sanitization or validation of the input source paths or SQL intents before they are processed by the Rill CLI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 25, 2026, 06:40 PM