alibabacloud-odps-information-schema
Fail
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The shell script
scripts/odps_is_query.shcontains a command injection vulnerability in itscustomquery handler. The script takes user-supplied SQL strings and interpolates them into a shell command using double quotes (timeout ... "$SQL"). Since bash performs command substitution inside double quotes, an attacker could execute arbitrary shell commands if they can influence the SQL input (e.g., by including$(command)in the string). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes metadata from external MaxCompute Information Schema views.
- Ingestion points: Metadata view results (such as table comments, task error messages, or column names) processed via
mcp-tools(references/mcp-tools-reference.md) orodps_is_query.sh. - Boundary markers: None. The instructions do not define delimiters or provide specific guidance for the agent to treat metadata as untrusted content.
- Capability inventory: The agent can execute SQL queries via
execute_sql(references/mcp-tools-reference.md) and run local shell commands viascripts/odps_is_query.sh. - Sanitization: The shell script implements regex-based validation for some identifiers and filters specific SQL keywords in custom mode, but it does not escape or sanitize shell metacharacters in the custom query execution path.
Recommendations
- AI detected serious security threats
Audit Metadata