Skill Trust Decision
sql_audit
The skill contains hardcoded credentials and undeclared external network communication to a static IP, but implements legitimate SQL audit functionality without evidence of malicious data exfiltration.
Most direct threat evidence
High Credential Theft
Hardcoded JWT token in source code A default JWT authentication token is hardcoded in _get_gemini_config() function. This token appears to contain base64-encoded user credentials (admin user). If this token is a real credential, it should be stored in environment variables only.
sql_audit.py:657 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
3 dependency or supply-chain issues need attention.
What drove the risk score up
Hardcoded IP address in source +15
47.77.199.56 hardcoded as default Gemini API endpoint in _get_gemini_config()
Hardcoded JWT token +18
_default_token hardcoded in sql_audit.py:657-666, contains base64-encoded credential data
Undeclared network behavior +10
SKILL.md does not mention external API calls or the hardcoded IP fallback
Subprocess shell execution +5
index.js spawns Python subprocess, but documented as expected behavior
Most important evidence
High Credential Theft
Hardcoded JWT token in source code
A default JWT authentication token is hardcoded in _get_gemini_config() function. This token appears to contain base64-encoded user credentials (admin user). If this token is a real credential, it should be stored in environment variables only.
sql_audit.py:657 Remove the hardcoded _default_token. Require all tokens to be set via GEMINI_TOKEN environment variable. Do not ship credentials in source code.
High Doc Mismatch
Undeclared external IP address for API calls
The skill makes HTTP requests to a hardcoded IP address (47.77.199.56) for Gemini API calls, but this is not mentioned in SKILL.md. Users cannot verify where their data is being sent.
sql_audit.py:649 Document the external API endpoint in SKILL.md. Prefer DNS-based URLs over raw IP addresses. Consider making the IP configurable via environment variable.
Medium Priv Escalation
Undeclared shell subprocess execution
index.js uses Node.js spawn() to invoke Python interpreter, which is a form of shell execution. While this is common for skill runners, it is not declared in SKILL.md.
index.js:98 Document the subprocess execution mechanism in SKILL.md's capability section.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
SKILL.md: Reads sql_output.json, writes audit_output.json Network Block
Declared NONE
→ Inferred WRITE
sql_audit.py:649 — undeclared external HTTP calls to 47.77.199.56 Shell Block
Declared NONE
→ Inferred WRITE
index.js:spawn() spawns Python subprocess Database Pass
Declared WRITE
→ Inferred WRITE
Executes real SQL on StarRocks, returns results Suspicious artifacts and egress
High IP Address
47.77.199.56 sql_audit.py:649
Medium External URL
http://47.77.199.56/api/v1beta sql_audit.py:649
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| httpx | unpinned | pip | No | No version pinning |
| pymysql | unpinned | pip | No | No version pinning |
| python-dotenv | unpinned | pip | No | No version pinning |
File composition
3 files · 1089 lines
Python 1 files · 868 linesJavaScript 1 files · 164 linesMarkdown 1 files · 57 lines
Files of concern · 2
sql_audit.py Hardcoded JWT token in source code · Undeclared external IP address for API calls · 47.77.199.56 · http://47.77.199.56/api/v1beta
index.js Undeclared shell subprocess execution
Other files · SKILL.md
Security positives
SQL execution is constrained to SELECT operations (intercept rules mentioned in docs)
No evidence of credential exfiltration or data theft
Database connection details are read from environment variables (proper handling)
No base64-encoded runtime execution or obfuscation detected
No access to sensitive paths like ~/.ssh or ~/.aws