database-operation
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute arbitrary SQL queries directly against the database using the
execute_commandtool withsqlite3orpsql. This grants full administrative control, which can be misused to delete tables, modify records, or bypass application security logic. - [DATA_EXFILTRATION]: The skill facilitates access to database tables containing highly sensitive information, such as
site(including cookies, API keys, and tokens),user(including emails and hashed passwords), andpasskey. While the skill includes instructions for the agent to skip these fields in outputs, there are no technical controls to prevent the retrieval or transmission of this data. - [CREDENTIALS_UNSAFE]: The documentation recommends passing PostgreSQL passwords via the
PGPASSWORDenvironment variable in a shell command. This is an insecure practice as the password can be visible to other users on the system through process monitoring tools or command history. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and 'interprets' data from the database. Malicious content stored within database fields (e.g., in
downloadhistoryormessagetables) could influence the agent's behavior when the query results are processed. - Ingestion points: SQL query results from various tables like
downloadhistory,user, andsite(SKILL.md). - Boundary markers: None; the agent is instructed to directly analyze and present the results.
- Capability inventory:
execute_commandandread_filetools (SKILL.md). - Sanitization: None; database content is treated as trusted data for analysis.
Recommendations
- AI detected serious security threats
Audit Metadata