πŸ”AI RiskAtlas
← Scenario library

When the Query Bites Back

A text-to-SQL agent runs the model's output straight at the database

Technique first revealed 03 Aug 2023

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoalcontextπŸ§‘UserπŸŽ›οΏ½οΈOrchestrator /Agent Loop🧠LLMπŸ”Identity &PermissionsπŸ”§Tool Runtimeβœ‹Human ApprovalGateπŸ”ŒExternal APIsπŸ—„οΈBusinessDatabase🌐UntrustedContentπŸ“Audit LoggingπŸ§‘Analyst (TenantA)
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 6

A self-service analytics agent

The company's BI team builds an assistant so anyone can ask questions like 'how many orders did we ship last week?' without knowing how databases work. You type a question; the assistant turns it into a database query, runs it, and shows you the answer.

βš™οΈHow the agent is wiredconfig
tool: run_sql
  input:  sql_string (from model output)
  execute: db.query(sql_string)        # concatenated, executed verbatim
  credential: ANALYTICS_SVC            # role grants SELECT/INSERT/UPDATE/DELETE
  scope: ALL TENANTS (shared warehouse) # no row-level security
  guards: none (no allowlist, no parameterisation, no statement-type check)

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—