database-operation

Fail

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute arbitrary SQL queries directly against the database using the execute_command tool with sqlite3 or psql. This grants full administrative control, which can be misused to delete tables, modify records, or bypass application security logic.
  • [DATA_EXFILTRATION]: The skill facilitates access to database tables containing highly sensitive information, such as site (including cookies, API keys, and tokens), user (including emails and hashed passwords), and passkey. While the skill includes instructions for the agent to skip these fields in outputs, there are no technical controls to prevent the retrieval or transmission of this data.
  • [CREDENTIALS_UNSAFE]: The documentation recommends passing PostgreSQL passwords via the PGPASSWORD environment variable in a shell command. This is an insecure practice as the password can be visible to other users on the system through process monitoring tools or command history.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and 'interprets' data from the database. Malicious content stored within database fields (e.g., in downloadhistory or message tables) could influence the agent's behavior when the query results are processed.
  • Ingestion points: SQL query results from various tables like downloadhistory, user, and site (SKILL.md).
  • Boundary markers: None; the agent is instructed to directly analyze and present the results.
  • Capability inventory: execute_command and read_file tools (SKILL.md).
  • Sanitization: None; database content is treated as trusted data for analysis.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 03:58 AM
Security Audit — agent-trust-hub — database-operation