alibabacloud-odps-information-schema

Fail

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The shell script scripts/odps_is_query.sh contains a command injection vulnerability in its custom query handler. The script takes user-supplied SQL strings and interpolates them into a shell command using double quotes (timeout ... "$SQL"). Since bash performs command substitution inside double quotes, an attacker could execute arbitrary shell commands if they can influence the SQL input (e.g., by including $(command) in the string).
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes metadata from external MaxCompute Information Schema views.
  • Ingestion points: Metadata view results (such as table comments, task error messages, or column names) processed via mcp-tools (references/mcp-tools-reference.md) or odps_is_query.sh.
  • Boundary markers: None. The instructions do not define delimiters or provide specific guidance for the agent to treat metadata as untrusted content.
  • Capability inventory: The agent can execute SQL queries via execute_sql (references/mcp-tools-reference.md) and run local shell commands via scripts/odps_is_query.sh.
  • Sanitization: The shell script implements regex-based validation for some identifiers and filters specific SQL keywords in custom mode, but it does not escape or sanitize shell metacharacters in the custom query execution path.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 19, 2026, 04:01 AM
Security Audit — agent-trust-hub — alibabacloud-odps-information-schema