sm-bigquery-analyst
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection through its data ingestion and processing workflow. 1. Ingestion points: The agent ingests external data returned from
bq queryexecutions and natural language user questions as described inSKILL.md. 2. Boundary markers: Absent; there are no specified delimiters to separate instructions from untrusted table data during processing. 3. Capability inventory: The skill has the capability to execute system commands via thegcloudandbqCLI tools. 4. Sanitization: While SQL-level safety rules like 'SELECT-only' and dry-runs are mandated, there is no mechanism to sanitize the textual content of retrieved data for embedded instructions. - [COMMAND_EXECUTION] (MEDIUM): The skill relies on executing shell commands to interact with the host environment and BigQuery. Evidence: Multiple
bashcode blocks inSKILL.mddemonstrate the use ofgcloudandbqfor environment verification and query execution.
Recommendations
- AI detected serious security threats
Audit Metadata