sql-planner
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by discovering and reading external runner definitions.
- Ingestion points: Scans and reads
SKILL.mdfiles from.claude/skills/and~/.claude/skills/to determine task handling logic. - Boundary markers: The instructions lack explicit delimiters or 'ignore instructions' warnings when processing the content of these external files.
- Capability inventory: Extracted content is used to select execution delegates and provide context (Domain Knowledge) for SQL generation.
- Sanitization: There is no specified validation or sanitization for the data extracted from runner files before it is interpolated into the generator prompt.
- [COMMAND_EXECUTION]: The skill directs the agent to perform broad file system discovery using tools like
GlobandGrepstarting from the user's home directory (~/.claude/skills/). This allows the agent to process any file matching the pattern, potentially exposing it to untrusted instructions embedded in local files.
Audit Metadata