run-sql
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically assembles and executes shell commands by parsing local project files like
docker-compose.yml, Django settings, and Rails configurations. This mechanism is susceptible to command injection if these files contain malicious payloads. - [REMOTE_CODE_EXECUTION]: Step 1 explicitly directs the agent to read
## Query Commandfrom.claude/natural-sql/config.mdand 'use it as-is'. This creates a direct path for arbitrary command execution; an attacker contributing a malicious config file to a repository could execute any command on the user's system when the skill is invoked. - [CREDENTIALS_UNSAFE]: The skill is designed to automatically scrape sensitive information including database usernames and passwords from Django
DATABASESsettings and Railsdatabase.ymlfiles. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from the local filesystem to determine its execution logic.
- Ingestion points:
.claude/natural-sql/config.md,docker-compose.yml,schema.tsv, and application source code (Django/Rails settings). - Boundary markers: None. The skill trusts the content of the project files to define the execution command.
- Capability inventory: Full shell command execution capability.
- Sanitization: The skill mentions escaping quotes for shell transit but fails to validate the integrity or safety of the command string retrieved from the configuration files.
Recommendations
- AI detected serious security threats
Audit Metadata