supervisor-api
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill uses official, versioned libraries from Databricks and MLflow (
databricks-openai,databricks-sdk,mlflow) to manage agent orchestration and distributed tracing. - [SAFE]: Implements a multi-turn approval flow for MCP server tools (Unity Catalog connections or apps), ensuring that sensitive tool calls require explicit user confirmation.
- [SAFE]: No hardcoded credentials or sensitive file paths were detected; the skill relies on environment variables and workspace-level permissions managed through service principals.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it ingests untrusted user input and passes it to a server-side agent loop capable of executing various tools.
- Ingestion points:
request.inputin theinvoke_handlerandstream_handlerfunctions withinagent_server/agent.py. - Boundary markers: None explicitly defined in the provided code snippets to distinguish between instructions and user-provided data.
- Capability inventory: Ability to execute Unity Catalog functions, query Genie spaces, access Knowledge Assistants, and call MCP server endpoints.
- Sanitization: No input validation or sanitization logic is present in the skill instructions to filter potentially malicious instructions within user messages.
Audit Metadata