database-schema-validator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The instructions in
SKILL.mddirect the agent to execute a shell command using a template:python scripts/validate_schema.py <path_to_user_file>. This pattern is highly susceptible to command injection if the agent does not properly sanitize the input path, potentially allowing an attacker to execute arbitrary code via shell metacharacters (e.g.,;,|,&). - [DATA_EXFILTRATION] (LOW): The Python script
scripts/validate_schema.pylacks path validation or 'jail' constraints, allowing it to read any file on the local filesystem accessible to the process. An attacker could trick the agent into 'validating' sensitive files such as~/.ssh/id_rsaor.envfiles, causing the content to be processed and potentially leaked through the script's error output. - [Indirect Prompt Injection] (LOW): The skill provides a surface for indirect prompt injection by processing external, user-controlled files.
- Ingestion points: The
scripts/validate_schema.pyscript reads the content of any file path provided via the<path_to_user_file>argument. - Boundary markers: None. There are no delimiters or instructions provided to the agent to treat the script's output as untrusted or to ignore embedded instructions.
- Capability inventory: The agent is granted
run_commandcapabilities to execute local Python scripts. - Sanitization: No path validation, character escaping, or content sanitization is performed by the script or mentioned in the skill instructions.
Audit Metadata