golang-architect
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The script uses 'go install github.com/sqlc-dev/sqlc/cmd/sqlc@latest' to download and install external software if 'sqlc' is missing. The repository 'sqlc-dev/sqlc' is not included in the 'Trusted External Sources' or 'Trusted GitHub Organizations' list provided in the security policy, making this an unverifiable package installation.
- [REMOTE_CODE_EXECUTION] (MEDIUM): Immediately after installing the unverified 'sqlc' tool, the script executes 'sqlc compile'. If the external source were compromised, this would result in the execution of malicious code on the host system.
- [COMMAND_EXECUTION] (LOW): The script accepts a 'DB_ENGINE' argument which is interpolated directly into the 'sqlc.yaml' configuration file using an unquoted heredoc. Lack of sanitization on this input allows for potential configuration injection, where an attacker could inject additional YAML fields to alter tool behavior.
Audit Metadata