influencer-db
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides explicit instructions and examples for the agent to use the
sqlite3CLI to interact with a database file. This allows for arbitrary SQL execution, which can be leveraged to read, write, or delete files on the host system using SQLite meta-commands (e.g.,.output,.import, orATTACH DATABASE). - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill reads data from the
influencerstable ininfluencers.db, specifically fields likerecent_activity,notes, andrationale(found inSKILL.md). - Boundary markers: There are no instructions or delimiters defined to help the agent distinguish between data and embedded commands within these fields.
- Capability inventory: The agent has full read/write access to the local database via
sqlite3CLI, as documented in the 'Using sqlite3' section ofSKILL.md. - Sanitization: No sanitization or validation of the data being inserted into or read from the database is mentioned. If an attacker influences a profile being tracked (e.g., by changing their Twitter bio/activity), they could inject instructions that the agent would then execute when processing that influencer's record.
Recommendations
- AI detected serious security threats
Audit Metadata