Skills
skills/sjtw/tarkov-build-optimiser/create-migration/Gen Agent Trust Hub

create-migration

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill allows the agent to process potentially untrusted input to generate migration logic and file names, creating a high-risk capability-to-content bridge.
    • Ingestion points: User-provided migration names and SQL content (SKILL.md, Steps 1 and 2).
    • Boundary markers: Absent; there are no delimiters or explicit instructions to ignore embedded commands in user-provided data.
    • Capability inventory: Execution of shell commands via task and docker, writing to the local file system (Go files), and executing arbitrary SQL via tx.ExecContext.
    • Sanitization: Absent; no validation or escaping mechanisms are described for the migration names or SQL strings.
  • [Dynamic Execution] (HIGH): The skill facilitates the creation of Go files in the migrations/ directory that are subsequently compiled and executed using task migrate:up. This runtime compilation and execution of generated source code is a high-severity pattern.
  • [Unverifiable Dependencies] (LOW): The skill references github.com/pressly/goose/v3. As this is a well-known and established library in the Go ecosystem, it is treated as a trusted source under [TRUST-SCOPE-RULE].
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:46 PM