metabase
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses standard CLI tools like curl and jq to interact with the Metabase API. This is expected behavior for an API integration skill.
- [DATA_EXFILTRATION]: The skill communicates with the Metabase instance defined in the user-provided METABASE_BASE_URL variable. While it handles sensitive data (query results, database metadata), it only transmits it to the host explicitly configured by the user.
- [CREDENTIALS_UNSAFE]: Secrets are managed safely via environment variables (METABASE_TOKEN) and passed through HTTP headers. No hardcoded credentials or insecure storage instructions were found.
- [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: Data retrieved from the Metabase API (e.g., query results, card names, dashboard lists) enters the agent context.
- Boundary markers: No delimiters or explicit instructions to ignore embedded content are used in the provided examples.
- Capability inventory: The skill has network access (curl) and file-write access (/tmp/metabase_request.json).
- Sanitization: No validation or sanitization of the API responses is performed. This represents an indirect prompt injection surface if the Metabase instance contains untrusted content.
Audit Metadata