hybrid-search-implementation
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: SQL Injection vulnerability in the
PostgresHybridSearch.hybrid_searchmethod. The implementation interpolates keys from thefilter_metadatadictionary directly into the SQL WHERE clause using an f-string:f" AND metadata->>'{key}' = ${len(params)}". If the dictionary keys are derived from untrusted user input, an attacker can inject arbitrary SQL commands to manipulate the query or access unauthorized data. - [COMMAND_EXECUTION]: Script and query injection risk in
ElasticsearchHybridSearch.hybrid_search. Theboost_vectorandboost_textparameters are interpolated into the query body and a Painless script via f-strings:f"cosineSimilarity(params.query_vector, 'embedding') * {boost_vector} + 1.0". Without strict type validation, this allows for the injection of malicious script logic or query modifications. - [PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill is designed to ingest and process document content from external databases and search indexes, which is a common vector for indirect injection when the results are passed to an LLM.
- Ingestion points: Document content retrieved from PostgreSQL and Elasticsearch via the
hybrid_searchmethods. - Boundary markers: None; the templates return raw content without delimiters or instructions to treat the data as untrusted.
- Capability inventory: Read access to database systems and search indices; use of cross-encoders for reranking.
- Sanitization: The templates do not include sanitization or escaping of the retrieved content before it is returned to the calling agent.
Audit Metadata