duckdb
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- External Downloads (SAFE): The skill installs 'duckdb' and 'polars' from the official PyPI registry, which are reputable packages.
- Command Execution (SAFE): Shell usage is limited to standard environment verification and package installation.
- Indirect Prompt Injection (SAFE): The skill ingests external data files (CSV, Parquet, JSON). While this represents a standard attack surface, it is the primary function of the tool. 1. Ingestion points: File reading via duckdb.sql in SKILL.md. 2. Boundary markers: Absent (standard SQL behavior). 3. Capability inventory: Local file read/write and analytical SQL execution. 4. Sanitization: Absent (inherent to data processing).
Audit Metadata