Trust Assessment
database-query received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include SQL Injection in search_users function, SQL Injection in get_user_by_id function.
The analysis covered 4 layers: dependency_graph, static_code_analysis, manifest_analysis, llm_behavioral_safety. The llm_behavioral_safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit de937128). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | SQL Injection in search_users function The `search_users` function is vulnerable to SQL injection. Both `table_name` and `search_term` parameters are directly concatenated into the SQL query string using f-strings without proper sanitization or parameterization. An attacker can manipulate these inputs to execute arbitrary SQL commands, bypass security controls, or exfiltrate sensitive data from the `users.db` database. For example, injecting `' OR 1=1 --` into `search_term` or a malicious table name into `table_name` could lead to unauthorized data access or manipulation. To prevent SQL injection, use parameterized queries. For `search_term`, replace the f-string interpolation with a placeholder (e.g., `?` for `sqlite3`) and pass the value as a separate parameter to `cursor.execute()`. For `table_name`, direct user input should never be used; instead, validate it against a whitelist of allowed table names before constructing the query. | Unknown | query.py:25 | |
| CRITICAL | SQL Injection in get_user_by_id function The `get_user_by_id` function is vulnerable to SQL injection. The `user_id` parameter is directly concatenated into the SQL query string using an f-string without proper sanitization or parameterization. An attacker can manipulate this input (e.g., `1 OR 1=1`) to execute arbitrary SQL commands, bypass authentication, or retrieve unauthorized data from the `users` table in `users.db`. To prevent SQL injection, use parameterized queries. Replace the f-string interpolation with a placeholder (e.g., `?` for `sqlite3`) and pass the `user_id` value as a separate parameter to `cursor.execute()` (e.g., `cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))`). | Unknown | query.py:35 |
Scan History
Embed Code
[](https://skillshield.io/report/5f932323fc09f36d)
Powered by SkillShield