Five SQL injection vectors in Hugging Face's skills framework
Hugging Face's skills repository let AI agents drive a DuckDB database through a thin Python wrapper that built every query with f-strings. One file held five injection vectors, each reachable from agent-influenced input.
The system
The skills repository is Hugging Face's framework for giving AI coding agents reusable capabilities, with over 1,600 stars. Its sql_manager.py module wraps DuckDB so agents can create tables, insert rows and run queries, with table names, columns and values all flowing in from agent reasoning, which in practice means user prompts and retrieved context.
The finding
Every entry point built SQL by dropping Python variables straight into f-strings with no quoting, escaping or parameterisation. Five vectors shared the root cause: table creation, column addition, row insertion, row filtering and direct execution.
DuckDB made it worse than typical SQL injection. Its execute() runs multiple semicolon-separated statements, so a single payload could chain DROP TABLE with exfiltration, and its built-in read_csv_auto() and COPY TO primitives turned injection into arbitrary file read and write on the host.
The fix
Parameterised queries using DuckDB's native $1 placeholders for all values, plus strict identifier validation for table and column names. Thirty lines changed, all 15 existing tests still passing. The maintainer merged it in nine days with no requested changes.
Want this rigour on your stack
Tell us what you're shipping and we'll scope a focused review, then Sebastion keeps it secure on every pull request.