Skills
skills/gemini-cli-extensions/data-agent-kit-starter-pack/dataform-bigquery/Gen Agent Trust Hub

dataform-bigquery

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs system-wide modifications by installing the Dataform CLI globally (npm i -g @dataform/cli) and executes tools such as gcloud and bq to interact with the system environment.
  • [CREDENTIALS_UNSAFE]: The skill is designed to read and modify .df-credentials.json, a file used for authentication and project configuration.
  • [PROMPT_INJECTION]: The skill metadata identifies the publisher as 'google', which is inconsistent with the actual author 'gemini-cli-extensions'.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and acting upon untrusted Dataform project files and SQLX models while possessing shell execution capabilities.
  • Ingestion points: reads workflow_settings.yaml, SQLX source files, and BigQuery table previews.
  • Boundary markers: none observed to isolate untrusted data from the agent's logic.
  • Capability inventory: shell access for system tools (npm, dataform, bq) and file writing capabilities.
  • Sanitization: no evidence of sanitization or safety checks for the content extracted from the project repository.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 10:20 PM