azure-postgres
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerability to Indirect Prompt Injection (Category 8). The skill includes multiple scripts that process untrusted data from the agent context to perform administrative database tasks. \n
- Ingestion points: Parameters like $USER_UPN, $GROUP_NAME, $SERVER_NAME, and $DATABASE in scripts/setup-user.sh, scripts/setup-group.sh, scripts/setup-managed-identity.sh, and scripts/migrate-to-entra.sh. \n
- Boundary markers: Absent; inputs are directly interpolated into strings. \n
- Capability inventory: Full database administrative access via psql (creating roles, granting permissions, altering schema) and Azure CLI access (modifying server settings, listing resources). \n
- Sanitization: Absent; the scripts do not escape single quotes in SQL strings (e.g., WHERE rolename = '$USER_UPN') or validate shell inputs, allowing for SQL injection and potential command injection. \n- [COMMAND_EXECUTION] (MEDIUM): High-privilege command execution risk. The skill relies on system-level execution of the Azure CLI (az) and PostgreSQL client (psql). Because these tools are invoked with variables sourced from the agent (which may be influenced by untrusted external instructions), the lack of input validation poses a risk of arbitrary command execution on the host where the skill is running.
Recommendations
- AI detected serious security threats
Audit Metadata