sql-writer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it retrieves and displays content from external, untrusted sources that are subsequently interpreted by the agent.
- Ingestion Points:
scripts/sample.pyretrieves row data from production tables;scripts/schema.pyretrieves table/column metadata and comments;scripts/log_spec.py(referenced) fetches event specifications from Google Sheets. - Boundary Markers: None. Script outputs return raw strings or formatted tables without delimiters to distinguish data from instructions.
- Capability Inventory: The agent has the capability to execute shell commands (via provided scripts), write files (via
--outputflags), and access the network (Databricks/Google APIs). - Sanitization: No logic exists to sanitize or escape data that might contain malicious agent instructions (e.g., in a database column comment).
- [COMMAND_EXECUTION] (MEDIUM): The skill provides the ability to execute arbitrary SQL on a production Databricks warehouse. While it includes a safety check (
is_safe_queryinscripts/utils.py), the validation is limited. - Incomplete Filtering: The logic only removes single-line SQL comments (
--) and does not account for block comments (/* ... */), which could be used to obfuscate commands or bypass thestartswithcheck. - Regex Limitations: The blacklist-based keyword check (
DROP,DELETE, etc.) can often be bypassed in complex SQL environments or via dialect-specific syntax. - [EXTERNAL_DOWNLOADS] (LOW): The skill depends on the
databricks-sdkpackage. This is a well-known, versioned package from a trusted vendor, making the dependency risk negligible per TRUST-SCOPE-RULE.
Recommendations
- AI detected serious security threats
Audit Metadata