cortex-classify-notebook
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Privilege Escalation] (HIGH): The skill instructions in
SKILL.mdadvise the agent toUSE ROLE ACCOUNTADMINif the preferred role is missing. This provides the agent with the highest possible level of access to the Snowflake account, which is excessive for a tutorial deployment and poses a significant security risk if the agent's behavior is subverted. - [Indirect Prompt Injection] (LOW): The skill has a clear vulnerability surface for indirect prompt injection.
- Ingestion points:
assets/classify_unstructured_customer_reviews.ipynb(Cell 2) loads customer review data froms3://sfquickstarts/tastybytes-voc/into thetruck_reviewstable. - Boundary markers: Absent. There are no delimiters or instructions provided to the LLM function to ignore potentially malicious instructions embedded within the customer reviews.
- Capability inventory: The notebook (Cells 6 and 7) passes this untrusted data directly to the
cortex.classify_textLLM function. - Sanitization: Absent. Data is loaded and processed without filtering.
- [External Data Source] (LOW): The notebook content loaded via
assets/classify_unstructured_customer_reviews.ipynband referenced inreferences/NOTEBOOK_CONTENT.mdperforms aCOPY INTOcommand from an external S3 bucket (s3://sfquickstarts/tastybytes-voc/). While likely a standard tutorial bucket, it represents the ingestion of external assets. - [Network Operations] (LOW):
SKILL.md(Step 0) mandates the use ofweb_fetchto retrieve content fromdocs.snowflake.com. Although this is a trusted domain, it introduces a runtime dependency on external web content that could change.
Recommendations
- AI detected serious security threats
Audit Metadata