supervisor-api

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill uses official, versioned libraries from Databricks and MLflow (databricks-openai, databricks-sdk, mlflow) to manage agent orchestration and distributed tracing.
  • [SAFE]: Implements a multi-turn approval flow for MCP server tools (Unity Catalog connections or apps), ensuring that sensitive tool calls require explicit user confirmation.
  • [SAFE]: No hardcoded credentials or sensitive file paths were detected; the skill relies on environment variables and workspace-level permissions managed through service principals.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it ingests untrusted user input and passes it to a server-side agent loop capable of executing various tools.
  • Ingestion points: request.input in the invoke_handler and stream_handler functions within agent_server/agent.py.
  • Boundary markers: None explicitly defined in the provided code snippets to distinguish between instructions and user-provided data.
  • Capability inventory: Ability to execute Unity Catalog functions, query Genie spaces, access Knowledge Assistants, and call MCP server endpoints.
  • Sanitization: No input validation or sanitization logic is present in the skill instructions to filter potentially malicious instructions within user messages.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 06:08 AM
Security Audit — agent-trust-hub — supervisor-api