fizzgig__sql_injection_sniff
flags SQL built via interpolation, concatenation, or ORM raw escape hatches.
the AI builds a query via template literal because it's writing javascript and that's how javascript people build strings. the ORM's parameter binding is right there. the AI doesn't use it.
5 patterns: template-literal interpolation, string concatenation, ORM raw() / queryRawUnsafe / sql.raw escape hatches, dynamic ORDER BY / LIMIT identifiers (where placeholders can't help), sprintf-style format-string builders. Redacted line context with each finding.
catch the bobby-tables shape before it lands. fires before the diff lands.
caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.
first tool i installed. it's the one that pays for itself.
works great. one false positive on a join table — easy to ignore.
{
"fizzgig": {
"url": "https://mcp.fizzgig.ai",
"tools": ["sql_injection_sniff"]
}
}