databricks-dbsql

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill provides documentation and templates for AI functions (e.g., ai_query, ai_gen, ai_classify) that process data from database tables and external sources. This creates an indirect prompt injection surface where malicious data ingested from a table or API could attempt to override the agent's behavior.
  • Ingestion points: Data is ingested via read_files, http_request, and remote_query (Lakehouse Federation) as documented in references/ai-functions.md.
  • Boundary markers: The provided SQL templates do not explicitly include delimiter-based isolation or 'ignore instructions' warnings for processed data.
  • Capability inventory: The skill enables file system reads, external network requests, and dynamic SQL execution via EXECUTE IMMEDIATE.
  • Sanitization: While the documentation promotes secure credential management, it does not provide specific guidance for sanitizing data retrieved from external sources before it is passed to LLM functions.
  • [COMMAND_EXECUTION]: The skill documents the use of EXECUTE IMMEDIATE for dynamic SQL execution in references/sql-scripting.md. Although the documentation correctly advises using positional (?) or named (:param) parameter markers to prevent SQL injection, the existence of dynamic execution logic provides a capability that could be misused if users construct queries via string concatenation.
  • [DATA_EXFILTRATION]: The http_request function documented in references/ai-functions.md enables the agent to send data to external HTTP endpoints. While the skill demonstrates best practices by using the secret() function to retrieve bearer tokens and OAuth credentials from a managed secret store, the ability to communicate with external APIs constitutes a potential exfiltration vector if the agent is manipulated into sending sensitive data to an unauthorized endpoint.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 11:05 AM
Security Audit — agent-trust-hub — databricks-dbsql