databricks-cli
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses Python scripts (scripts/metadata.py, scripts/run.py) to execute local shell commands via subprocess.run. These commands primarily wrap the databricks CLI to perform workspace management and configuration tasks.
- [REMOTE_CODE_EXECUTION]: The utility scripts featured in the skill dynamically generate Python code blocks at runtime to wrap SQL queries for execution on remote Databricks Spark clusters via the API. Additionally, the installation documentation (databricks-cli-install.md) provides instructions for executing remote setup scripts via curl piped to bash.
- [EXTERNAL_DOWNLOADS]: The skill references and guides the user to download official Databricks binaries and setup scripts from github.com/databricks. These are recognized as official resources from a well-known service provider.
- [PROMPT_INJECTION]: The skill ingests untrusted data from the Databricks Unity Catalog (such as table schemas, metadata comments, and query results), creating a surface for indirect prompt injection.
- Ingestion points: External data enters the agent context through the outputs of scripts/metadata.py and scripts/run.py.
- Boundary markers: Absent. Data from the remote workspace is printed as text or markdown without specific delimiters or instructions for the agent to ignore embedded commands.
- Capability inventory: The skill can execute local shell commands (subprocess.run), write files to the workspace (databricks workspace import), and make authenticated network requests to the Databricks API.
- Sanitization: Employs basic string replacement for SQL escaping and Python template variable protection.
Audit Metadata