motherduck-create-flight

Pass

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: SAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's primary purpose is to create and manage 'MotherDuck Flights', which are Python scripts executed on MotherDuck's remote infrastructure. This is the intended functionality of the platform service being integrated.
  • [COMMAND_EXECUTION]: Documentation notes that the remote execution environment allows shell commands via subprocess and package management via apt-get install for dependencies like git or ffmpeg.
  • [EXTERNAL_DOWNLOADS]: Provided templates include examples of fetching data from well-known services, such as the GitHub API, and downloading configuration or datasets from S3 buckets.
  • [PROMPT_INJECTION]: The skill includes explicit security instructions for the agent to validate all user-supplied SQL identifiers (databases, schemas, tables) against a restrictive regular expression ([A-Za-z_][A-Za-z0-9_]*) before use in DDL operations, mitigating potential injection attacks.
  • [CREDENTIALS_UNSAFE]: The instructions mandate the use of the platform's internal secrets management system (TYPE flights secrets) for sensitive credentials, ensuring they are injected as environment variables at runtime rather than hardcoded in source code.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 12, 2026, 08:48 PM
Security Audit — agent-trust-hub — motherduck-create-flight