The external/sql module currently constructs SQL queries using string concatenation based on trusted configuration values. While there is no direct injection risk—since all inputs come from static configuration files during topology submission—it would be good practice to refactor these to use prepared statements.