metabase
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
curlandjqto perform various API operations against a Metabase instance. This includes sensitive actions such as listing users, retrieving database schemas, and executing raw SQL queries. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data which is then interpolated into commands or queries.
- Ingestion points: Untrusted data enters the context through user-provided parameters such as search queries, database/card/dashboard IDs, and raw SQL query strings defined in
SKILL.md. - Boundary markers: The instructions lack delimiters or warnings to ignore potentially malicious instructions embedded within the data retrieved or processed.
- Capability inventory: The skill has the ability to execute network requests via
curland perform database operations, including data deletion or modification via SQL if the API key has sufficient permissions. - Sanitization: There is no evidence of input validation, escaping, or filtering of external content before it is interpolated into shell commands or JSON request bodies.
- [CREDENTIALS_UNSAFE]: The skill follows security best practices by instructing users to store sensitive API keys in the
METABASE_TOKENenvironment variable rather than hardcoding them in the scripts or markdown files.
Audit Metadata