data-analysis
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The DataLoader class in reference/data-wrangling.md implements a _load_sqlite method that performs unsafe string interpolation into a SQL query: f"SELECT * FROM {table}". This allows for SQL injection if the table name is derived from untrusted user input or file metadata.
- [COMMAND_EXECUTION]: The query_with_duckdb function in reference/data-wrangling.md executes raw SQL queries provided as strings. This pattern is vulnerable to SQL injection if the queries are constructed using data from external files without proper parameterization.
- [PROMPT_INJECTION]: The skill is designed to ingest and process data from various untrusted sources (PDF, PPTX, Word, Markdown). This creates an indirect prompt injection surface.
- Ingestion points: Multiple extraction methods in reference/data-wrangling.md (e.g., extract_pdf_text, extract_pptx_text) extract unstructured text.
- Boundary markers: The instructions lack clear delimiters or warnings when passing extracted text to the agent for analysis.
- Capability inventory: The agent can execute complex Python transformations and generate interactive dashboards.
- Sanitization: No sanitization is performed on extracted text to neutralize potential embedded instructions.
- [EXTERNAL_DOWNLOADS]: The skill depends on numerous standard Python libraries for data science (pandas, plotly, streamlit, etc.). While these are well-known, they represent a significant supply chain surface for a business-critical skill.
Audit Metadata