Skills
skills/motherduckdb/agent-skills/motherduck-partner-delivery/Gen Agent Trust Hub

motherduck-partner-delivery

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill provides legitimate architectural guidance and code templates for multi-client MotherDuck deployments. No malicious patterns, such as obfuscation or credential theft, were detected.
  • [COMMAND_EXECUTION]: The skill includes instructions to execute local Python and TypeScript artifacts (e.g., artifacts/client_delivery_example.py) using the uv tool. These artifacts are used to demonstrate database provisioning and validation tasks.
  • [EXTERNAL_DOWNLOADS]: The skill depends on the duckdb library, which is a well-known and trusted package for analytical database operations.
  • [DATA_EXFILTRATION]: The skill accesses the environment variables MOTHERDUCK_AGENT_HARNESS and MOTHERDUCK_AGENT_LLM to construct a custom User-Agent for MotherDuck connections. This is used for platform telemetry and does not involve sensitive user data.
  • [INDIRECT_PROMPT_INJECTION]: The skill defines functions in references/PARTNER_DELIVERY_GUIDE.md that interpolate variables such as slug and database_name into SQL queries. While this is a common pattern for database provisioning scripts, it creates a surface for SQL injection if an agent applies these templates to untrusted user input without sanitization.
  • Ingestion points: slug, region, and database_name parameters in provisioning and validation functions in PARTNER_DELIVERY_GUIDE.md.
  • Boundary markers: None present in the provided code templates.
  • Capability inventory: duckdb.execute() and duckdb.sql() are used within the script templates to interact with the database.
  • Sanitization: No explicit sanitization or parameter binding is demonstrated in the guide's example templates.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 06:31 PM