database-sharding
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): SQL Injection vulnerability in 'templates/cross-shard-aggregation.ts'. The aggregation methods (count, sum, avg, groupBy, topN) accept a 'where' string parameter that is directly interpolated into SQL queries. While the code validates table and column identifiers via regex, the 'where' clause is not validated or parameterized, enabling arbitrary SQL execution if provided with untrusted input.
- [CREDENTIALS_UNSAFE] (LOW): Hardcoded credentials detected in 'templates/hash-router.ts'. The usage example contains a hardcoded password ('secret'), which promotes insecure configuration practices.
- [DATA_EXFILTRATION] (LOW): Indirect Prompt Injection surface. The skill ingests untrusted data from multiple database shards (e.g., in 'templates/directory-router.ts') and performs operations based on that data. It lacks comprehensive sanitization or boundary markers to prevent malicious data stored in the database from influencing the agent's logic or downstream capabilities.
Audit Metadata