Skills
skills/ariadoss/superskills/db-optimize/Gen Agent Trust Hub

db-optimize

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill uses the $DATABASE_URL environment variable in shell commands (e.g., psql "$DATABASE_URL"). This variable typically contains sensitive credentials, including usernames and passwords, which are exposed to the agent's execution context and potential logging.
  • [DYNAMIC_EXECUTION]: In Step 3, the skill automatically executes SQL queries identified in slow query logs using EXPLAIN (ANALYZE, ...). Because the ANALYZE flag causes the database to actually execute the query to collect statistics, this allows for the execution of arbitrary SQL logic if the source logs have been manipulated.
  • [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it parses and acts upon data from untrusted external sources like application logs.
  • Ingestion points: Application log files scanned via find and grep in SKILL.md Step 2.
  • Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands within the logs.
  • Capability inventory: The skill uses the Bash tool to execute psql and mysql commands against the database.
  • Sanitization: No sanitization or validation is performed on the query text extracted from logs before it is passed to the database engine for execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 05:50 AM