Security Audit
googlebigquery-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
googlebigquery-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary SQL Query Execution (Command Injection), Potential Data Exfiltration via SQL Queries, Excessive Permissions for Database Access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary SQL Query Execution (Command Injection) The skill allows the execution of arbitrary native SQL queries via the `METABASE_POST_API_DATASET` tool. A malicious prompt could instruct the LLM to construct and execute SQL queries that perform unauthorized database commands, data manipulation, or privilege escalation within the connected BigQuery instance. This is a direct command injection vector into the database. Implement strict input validation and sanitization for SQL queries if they are constructed from untrusted input. Prefer using parameterized queries (`template_tags`) over direct raw SQL execution. Limit the database user's permissions to the absolute minimum required (principle of least privilege). Consider providing more granular tools that abstract SQL generation rather than exposing raw SQL execution. | LLM | SKILL.md:39 | |
| HIGH | Potential Data Exfiltration via SQL Queries The ability to execute arbitrary native SQL queries means the LLM can be instructed to retrieve any data accessible by the Metabase connection. This poses a significant risk of data exfiltration, where sensitive information from the BigQuery database could be retrieved and potentially leaked if the LLM is compromised or misused. Enforce the principle of least privilege for the database user account used by Metabase. Implement robust data access policies and monitoring. Ensure the LLM is instructed to only query data relevant to its task and to avoid sensitive data unless explicitly authorized. Consider data masking or redaction for sensitive fields. | LLM | SKILL.md:39 | |
| HIGH | Excessive Permissions for Database Access The skill, through its `METABASE_POST_API_DATASET` tool, allows for broad and unrestricted access to the BigQuery database via arbitrary SQL queries. The documentation does not specify any limitations on the scope of these queries or the permissions of the underlying Metabase connection. This implies that the skill could be used to access or manipulate any data that the Metabase connection has access to, potentially granting excessive permissions to the LLM. Clearly define and enforce the principle of least privilege for the Metabase connection used by this skill. Document the expected scope of database access and ensure it is as narrow as possible. If feasible, provide tools with more granular access controls or pre-defined query templates rather than a single tool for arbitrary SQL execution. | LLM | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/9c71b7ce4df2ac3d)
Powered by SkillShield