The Security Agent in a multi-agent text-to-SQL system inspects the natural language query but nothing else. Schema metadata and inter-agent messages flow through uninspected channels. A post-generation SQL audit catches destructive output, but it is keyword-based, the same ceiling as input inspection.

This post tests those blind spots with 373 adversarial queries across four vectors. Adding national ID recognition improves detection, but misspellings, base64 encoding, and leetspeak still get through. The blind spot is structural, not a missing rule.

The promise of Text-to-SQL is compelling: let anyone query a database using plain English. The reality is that most implementations silently return wrong data, expose sensitive information, and cost more than they should.

Researchers have identified a cyber threat known as slopsquatting, also referred to as package hallucination, in which malicious actors exploit large language models (LLMs) tendency to generate non-existent package names during code generation. These hallucinated package names, when registered by attackers with malware payloads, create a new vector for software supply chain attacks—particularly within AI-assisted development workflows.