Skills
skills/canner/wren-engine/generate-mdl/Gen Agent Trust Hub

generate-mdl

Fail

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides a command to update itself by fetching and executing a shell script (install.sh) from the vendor's official GitHub repository. As this resource is provided by the identified author 'Canner', it represents standard vendor functionality.
  • [EXTERNAL_DOWNLOADS]: The skill performs a network request to the vendor's GitHub repository to retrieve version information (versions.json) for update checking purposes.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from an external database to build manifests, presenting an indirect prompt injection surface.
  • Ingestion points: Metadata is ingested via the list_remote_tables() and list_remote_constraints() tools as described in SKILL.md.
  • Boundary markers: No explicit delimiters or instructions are used to separate the ingested metadata from the agent's instructions during the MDL construction process.
  • Capability inventory: The skill has the capability to deploy manifests and perform dry runs via deploy_manifest() and dry_run() tools.
  • Sanitization: There is no mention of sanitizing or escaping column/table names or constraints before they are interpolated into the manifest structure.
  • [SAFE]: Sensitive database credentials are never handled directly by the skill prompts or the ibis-server API; instead, users are directed to manage connections through a local Web UI or a local JSON file.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/Canner/wren-engine/main/skills/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 20, 2026, 08:56 AM