smart-query
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill instructions require users to store sensitive SSH jump host credentials and database passwords in
config/settings.json. Storing credentials in plain text on the filesystem is a significant exposure risk, as any script or malicious prompt could read this file. - PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted natural language from users to generate and execute SQL queries.
- Ingestion points: User-provided natural language queries (e.g., "查一下xxx数据") processed through the LLM.
- Boundary markers: None identified in the provided instructions to delimit user input from the SQL generation logic.
- Capability inventory: The skill has the capability to execute arbitrary SQL commands via
scripts/query.pyusing thepymysqllibrary. - Sanitization: No programmatic sanitization is present; the skill relies solely on a "Security Tip" advising the agent to only execute SELECT queries, which can be easily bypassed by an adversarial prompt.
- COMMAND_EXECUTION (MEDIUM): The skill frequently uses subprocess execution of local Python scripts (
query.py,schema_loader.py) with parameters derived from the agent's reasoning process. - DATA_EXFILTRATION (MEDIUM): While the skill's primary purpose is data retrieval, the combination of network access (SSH/DB) and the ability to output query results as JSON or raw text creates a path for exfiltrating sensitive database contents if the agent is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata